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Abstract. Sampled semantics of timed automata is a finite approximation of their dense 
time behavior. While the former is closer to the actual software or hardware systems 
with a fixed granularity of time, the abstract character of the latter makes it appealing 
for system modeling and verification. We study one aspect of the relation between these 
two semantics, namely checking whether the system exhibits some qualitative (untimed) 
behaviors in the dense time which cannot be reproduced by any implementation with a 
fixed sampling rate. More formally, the sampling problem, is to decide whether there is a 
sampling rate such that all qualitative behaviors (the untimed language) accepted by a 
given timed automaton in dense time semantics can be also accepted in sampled semantics. 
We show that this problem is decidable. 



1. Introduction 

Dense time semantics allows timed automata |AD94| to delay for arbitrary real valued 
amounts of time. This includes also arbitrarily small delays and delays which differ from 
each other by arbitrarily small values. Neither of these behaviors can be enforced by an 
implementation operating on a concrete hardware. Each such implementation necessarily 
includes some (hardware) digital clock which determines the least time delay measurable or 
enforceable by the system. 

This observation motivates sampled semantics of timed automata, which is a discrete 
time semantics with the smallest time step fixed to some fraction of 1. In other words, the 
time delays in a sampled semantics with the smallest step e can be only multiples of e. There 
are infinitely many different sampled semantics, but any of them allows fewer behaviors of 
the system than dense time semantics. On the other hand, all of the allowed behaviors in 
a sampled semantics with the sampling rate (the smallest step) e will be preserved in an 
implementation on a platform with the clock rate e (and all fractions of e). 

One of the arguments in favor of using dense time semantics is that one does not have to 
consider a concrete sampling rate of an implementation in the modeling and analysis phase. 
Dense time semantics abstracts away from concrete sampling rates by including all of them. 
Also, it seems adequate to assume that the environment stimuli come at any real time point 
without our control. 
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If a concrete timed automaton serves as a system description for later implementation, 
one might try to find a sampling rate which preserves all qualitative behaviors (untimed 
words). The restriction to qualitative behaviors is necessary, because any sampling rate ex- 
cludes infinitely many dense time behaviors. By this we lose the explicit timing information, 
but many important properties, including implicit timing, are preserved. For instance, if we 
know that the letter b cannot appear later than 5 time units after an occurrence of the letter 
a in the dense time model and then there is an untimed word accepted by this automaton 
where o is followed by b then we know that there is a run where b comes within 5 time units 
after a. 

The problem of our interest can be formalized as follows: decide whether for a given 
timed automaton there is a sampling rate such that all untimed words accepted by the 
automaton in dense time semantics are also accepted in sampled semantics with the fixed 
sampling rate. We call this the sampling problem for timed automata. 

There are timed automata with qualitative behaviors which are not accepted in any 
sampled semantics. This relies on the fact that timed automata can force differences between 
the fractional parts of the clock values to grow. In sampled semantics with the smallest time 
step fixed to e, the distance can only be increased in multiples of e, which implies that the 
distance between a pair of clocks can grow at most 1/e times. One more increase would make 
the fractional parts equal again. A sampling rate ensuring acceptance of an untimed word 
must induce enough valuations within each clock region in order to accommodate increases 
of the distances between the fractional parts of clock values along some accepting run. If 
there is a sequence of untimed words which require smaller and smaller time steps in order 
to be accepted then any fixed sampling necessarily loses some of these words. 

To enforce clock difference growth, a timed automaton has to use strict inequalities 
< and > in its clock guards. Closed timed automata, i.e., timed automata with only 
non-strict inequalities < and > in the guards, can be always sampled with the sampling 
rate 1. Closed timed automata possess one important property - they are closed under 
digitization |OW03b| . The property "closed under digitization" has been defined in |HMP92| 
and it is connected to our problem in the following sense: if the timed language of a timed 
automaton is closed under digitization then all (untimed) behaviors of this timed automaton 
are preserved with e = 1. Also, closure under digitization was shown to be decidable 
in |OW03 a]. 

The growth of clock value differences corresponds to a special type of memory. When a 
clock value difference grows three times then there must be at least three different clock value 
differences smaller than the current one. We show that this memory can be characterized by 
a new type of counter automata - with finite state control and a finite number of unbounded 
counters taking values from the natural numbers. The counters can be updated along the 
transitions by the following instructions: 

• 0: the counter keeps its value unchanged, 

• 1: the counter value is incremented, 

• r: the counter value is reset to 0, 

• copy: the counter value is set to the value of another counter, 

• max: under some conditions, the counter value can be set to the maximum of sums of 
pairs of counters. 

The sampling problem can be reformulated for our counter automata as follows. We want 
to decide whether there is a bound such that all words accepted by the automaton can be 
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accepted also by runs along which all counters are bounded by this bound. This problem 
was studied earlier as the limitedness problem for various types of automata with counters. 
We show that this problem is decidable for our automata by reducing it to the limitedness 
problem of a simpler type of automata, R-automata |AKY08| . 

Related work. The problem of asking for a sampling rate which satisfies given desirable 
properties has been studied in |AMP98t [CHR02| [KP05] . In |AMP98| . the authors identify 
subclasses of timed automata (or, digital circuits which can be translated to timed au- 
tomata) such that there is always an e which preserves all qualitative behaviors. The prob- 
lem of deciding whether there is a sampling rate ensuring language non-emptiness is studied 
in J CHR021 IKP05| . Work on digitization of timed languages |HMP92] identifies systems 
for which verification results obtained in discrete time transfer also to the dense time set- 
ting. Digitization takes timing properties into account more explicitly, while we consider only 
qualitative behaviors. A different approach to discretization has been developed in |GPV94| . 
This discretization scheme preserves all qualitative behaviors for the price of skewing the 
time passage. Implement ability of systems modeled by timed automata on a digital hardware 
has been studied in ;WDR,041 IKMTY041 IATn5) . The papers |WDR,n4[ IKMTY04| propose 
a new semantics of timed automata with which one can implement a given system on a 
sufficiently fast platform. On the other hand, |AT05| suggests a methodology in which the 
hardware platform is modeled by timed automata in order to allow checking whether the 
system satisfies the required properties on the given platform. 

The limitedness problem has been studied for various types of finite automata with coun- 
ters. First, it has been introduced by Hashiguchi jHas82| for distance automata (automata 
with one counter which can be only incremented). Different proofs of the decidability of the 
limitedness problem for distance automata are reported in |Has90| rLeu9H [Sim94| . Distance 
automata were extended in |Kir05| with additional counters which can be reset following 
a hierarchical discipline resembling parity acceptance conditions. Our automata relax this 
discipline and allow the counters to be reset arbitrarily. Universality of a similar type of 
automata for tree languages is studied in |CL08b|ICL08a| . A model with counters which can 
be incremented and reset in the same way as in R-automata, called B-automata, is presented 
in [ BC06| . B-automata accept infinite words such that the counters are bounded along an 
infinite accepting computation. 

Structure of the Paper. The rest of the paper is organized as follows. In Section [21 we 
introduce timed automata, dense time and sampled semantics, and our problem. Moreover, 
we define some technical concepts. Section [3] states the result and sketches the structure 
of the proof. The model of automata with counters is presented in Section [U where also 
the important properties of these automata are shown. The main step of the proof, the 
construction of a counter automaton from a given timed automaton, together with the 
correspondence proofs is in Section O The proof is completed in Section [H 

2. PRELIMINARIES 

In this section, we define syntax and two types of semantics (standard real time and 
sampled semantics) of timed automata and our problem. We also define region graphs for 
timed automata and a new notation which simplifies talking about clock differences and 
clock regions. Let N denote the set of non-negative integers. 



p. A. ABDULLA, P. KRCAL, AND W. YI 



Syntax. Let C be a finite set of non-negative real-valued variables called clocks. The set 
of guards G{C) is defined by the grammar g:=x\xic\gAg where x € C, c € N and 
00 € {<, <, >, >}. A timed automaton is a tuple A = (Q, S, C, qo,E, F), where: 

• Q is a finite set of locations, 

• S is a finite alphabet, 

• C is a finite set of clocks, 

• qq & Q is an initial location, 

• E CI Q X T, X G{C) X 2 X Q is a finite transition relation, and 

• F (^Q \s a set of accepting locations. 

Semantics. Semantics is defined with respect to a given time domain T. We suppose that 
a time domain is a subset of real numbers which contains and is closed under addition. 
Also, we suppose that T n S = 0. A clock valuation is a function u : C ^T. IfrGT then 
a valuation v + r \s such that for each clock x G C, {f + r)[x) = u{x) + r. If y C C then a 
valuation h'\Y := 0] is such that for each clock x € C \ 1", u\Y := 0](x) = u{x) and for each 
clock X CzY , v\Y := 0](x) = 0. The satisfaction relation i^ \= g for g G G{C) is defined in 
the natural way. 

The semantics of a timed automaton A = {Q,'S,C,qo,E,F) with respect to the time 
domain T is a labeled transition system (LTS) lAJj = [Q, S U T, -^, %) where Q = Q xT'^ 
is the set of states, % = {qq, uq) is the initial state, 1^0(2^) = for all x G C The transition 
relation is defined as follows: {q,v) — > {q' ,1^') if and only if 

• time step: a (zT, q = q' , and ly' = i' + a, or 

• discrete step: a G S, there is {q,a,g,Y,q') £ E, u \= g,^' = v\Y := 0]. 

We call paths in the semantics LTS runs. For a finite run p let l{p) G (S U T)* be 
the sequence of labels along this path. Let l{p) f T G S* be the sequence of labels with 
all numbers projected out. We use the same notation also for infinite (countable) runs 
containing infinitely many discrete steps. Namely, l{p) |~ T G S'^ if p is such a run. 

Language. A finite run p = {qo,i^o) — ^* ('7)'^) is accepting if g G .F. The (untimed finite 
word) language of a timed automaton A parameterized with the time domain T, denoted 
Lj(A) is the set of words which can be read along the accepting runs of the semantics LTS. 
Formally, Lj{A) = {l{p) f T | p is a finite accepting run in |A]t}. 

An infinite (countable) run with infinitely many discrete steps is accepting if it contains 
an infinite set of states {{q,i^i)\i G N} such that q £ F (standard Biichi acceptance con- 
dition). The (untimed) w-language of a timed automaton A parameterized with the time 
domain T, denoted Lj{A) is the set of words which can be read along the infinite countable 
accepting runs of the semantics LTS. Formally, Lj{A) = {l{p) |" T | p is an infinite countable 
accepting run in Jyljx}. 

Let M>o be the set of all non-negative real numbers. Let the time domain T^ for an 
e = 1/k for some A; G N be the set T^ = {^e | / G N}. We consider the time domains M>o and 
Te for all e. The semantics induced by M>o is called dense time semantics and the semantics 
induced by a T^ is called e-sampled semantics. We use the following shortcut notation: 
lAl = lAU,LiA) = L^^^,{A),L^{A) = L-^,/^),L,(A) = Lt,(^),L-(^) = LHA). 
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Problems. We deal with the foUowing problems. Decide for a timed automaton A whether 
there is an e = 1/k for some /c G N such that 

• L^{A) = L{A), (sampling) 

• L'^{A) = L'^{A) (w-sampling). 

There are timed automata such that no matter how small e we choose, L^(A) ^ L{A) 
and (or) L'^{A) ^ L^{A). As an example, consider the timed automaton in Figure [TJ It 
enforces the difference between clock values to shrink while being strictly greater than 0. If 
the values of x, y are 0.1, 0.6, respectively, in the location qi then the difference between the 
clock values in the location qi after reading ba will be strictly smaller than 0.5. 



a,x < 1 Ay < 1 
90 ' 



X :- 




a,y > Ax < I 

Figure 1: A timed automaton which does not preserve qualitative behaviors in sampled 
semantics. This example is adapted from |AD94| . 



Region graph. We introduce the region equivalence and the standard notion of region 
graph. Our concept of region equivalence differs from the standard definition in the following 
technical detail: we consider also the fractional parts of the clocks with the integral part 
greater than the maximal constant (but we consider only integral parts smaller than or equal 
to the maximal constant). The important properties of the standard region equivalence 
(untimed bisimilarity of the equivalent valuations and finite index) are preserved in our 
definition. 

Let for any r G M>o, int(r) denote the integral part of r and fr(r) denote the fractional 
part of r. Let k be an integer constant. For a set of clocks C, the relation =fc on the set of 
clock valuations is defined as follows: 
• 1/ =f^ u' if and only if all the following conditions hold: 

— for all X G C : int(i^(x)) = int(z^'(x)) or {v{x) > k A u'{x) > k), 

— for all x,y G C : fr(z/(x)) < fr(i/(y)) if and only if fr{v'{x)) < h{u'{y)) and fr(i/(x)) = 
fr(i^(y)) if and only if fr{u'{x)) = h{v'{y)), 

— for all x G C : fr(z^(x)) = if and only if fr(i/'(x)) = 0. 

Let A be a timed automaton and K be the maximal constant which occurs in some guard 
in A. For each location q € Q and two valuations i/ =k v' it holds that (g, v^ is untimed 
bisimilar to ((7, v'\ Also, =fc has a finite index for all semantics. We call equivalence classes 
of the region equivalence =k regions of A and denote them by D, D', Di, .... For a region 
D the region D' is the immediate time successor if D' ^ D, there is z^ G D,r G M>o such 
that v + r ^ D', and for aU z^ G -D, r G M>o such that u + r ^ D' \t holds that v + r' ^ D\JD' 
for all r' < r. 

Let (5 be a letter such that 6 ^ T,. Given a timed automaton A = {Q,Ti,C,q(), E, 
F), its region graph G = (A^, S U {6}, — >) is a labeled directed graph where the set of 
nodes A^ contains pairs {q,D), where g is a location of A and D is a region of A and 
— >-C A^ X S U {5} X N is a. set of labeled edges. Informally, the edges lead to an immediate 



p. A. ABDULLA, P. KRCAL, AND W. YI 



time successor (labeled by 6) or a discrete successor (labeled by a letter from S). Formally, 

{q,D) — > {Q:D') if D' is the immediate time successor of D and {q,D) — > {q',D') if 
{l,a,g,Y,l') eE,i^^ g for all i^ e D and D' = {u[Y := 0]|i^ G D}. 

For a path in the region graph a = {qi,Di) — > {qk,Dk) we say that a run of the 
timed automaton in the real or e-sampled semantics (a path in |I^]iR>f, or lA}^, respectively) 

P = (9i)^i) — ^ {qW^l) is along this path \i k = I and for all 1 < i < /c, {qi,Di) is the i-th 
node in a, {qi, Vi) is the z-th state in p, qi = qi and fj (z Di. We denote this hy p \= a. 

By D^, where e = 1/A; for some /c G N, we denote the region D restricted to the 
valuations from the e-sampled semantics. I.e., for all i/ G -De, we have that z/ G -D and for 
all clocks X, ^{x) = Ix ■ e, where Ix G N. 

2.1. Notation for Clock Differences and Regions. We introduce the following notation 
frequently used in Section [5j For two clocks b and d and a clock valuation z/, we write bd^ to 
denote the difference between the fractional parts of the clocks 6, d in the valuation u. The 
distance says how much to the right do we have to move the left clock (6 in our case), where 
the movement to the right wraps at 1 back to 0, to reach the right clocks {d in our case). 
The concept is demonstrated in Figure [2l This figure depicts a valuation of clocks a,b,c, d, 
whose integral values are zero (but they are irrelevant for this definition) and whose fractional 
parts are set according to the figure (i^(a) = 0, i^(5) = 0.25, i^(c) = 0.55, v^d) = 0.75). The 
fractional part of d is greater than that of b and hence to compute bdiy we simply record how 
much do we need to move b to the right to reach d. This distance is depicted by the (green) 
dashed arrow above the solid horizontal line. The fractional part of c is greater than that of 
b and hence to compute cbv we need to move c to the right until it reaches 1, then it wraps 
(jumps) to 0, and then we move it further to the right to reach b. This distance is depicted 
by the (red) dashed arrow(s) below the solid horizontal line. 

a b c d 

I J r::^ i 



1 

Figure 2: Illustration of a valuation i' and the distances between the fractional parts of the 
clocks. The values of the clocks are i'{a) = 0, vQ)) = 0.25, z^(c) = 0.55, iy{d) = 0.75. 
The distance between b and d is bd^ = 0.5, the distance between c and b is 
cbiy = 0.7. Later on, we use this type of diagram only for regions and not for 
valuations. 

Formally, for clocks x, y and a clock valuation z^, xy,y is defined as follows, 
r fr(z.(y)) - fr(Kx)) if h{u{y)) > fr(z.(x)) 

1 1 ~ (f''(^(^)) ~ f''(^(y))) otherwise 

We also need to talk about the order of the clocks in a region (an equivalence class of a 
region equivalence). We say that a region D satisfies an (in) equality x txi y or x = (written 
X IXd y,x =£, 0) where cxJG {<, >, =, <, >, 7^} if it is true of the fractional parts of x and y in 
all valuations in the region. Formally, x ixi/) y if for all v ^ D, h{v[x)) M fr(z^(y)) and x =d 
if for all 1/ ^ D, fr(i/(x)) = 0. Note, that for a given region D, either fr(i^(x)) ixi fr(i^(y)) 
holds for all the valuations z^ G D or it holds for none. Therefore, we adopt the graphical 
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illustration of regions shown in Figure [3l Here, a region D is depicted, where fr(z^(a)) = 0, 
fr(zy(a)) < fr{iy{b)) = fr(z^(e)) < fr(z^(c)) < fr(z^(d)) for ah i' e D. 

a b,e c d 

I \ \ \ 1 



Figure 3: Illustration of the order of the fractional parts of the clocks in a region D. 

The last concept defined here relates the position of three clocks in a region. For clocks 
X, y, z and a region D, D \= xyz tells us that if we start from x and move to the right (and 
possibly wrap at 1 back to 0), we meet y before we meet z. Formally, D \= xyz if there is 
a time successor D' of D such that x <d' y and y <£)/ z. In Figure EJ D |= bed, D \= cdb, 
holds, but it is not true that, e.g., D \= deb. 

3. Results 

We state the main result of this paper - that our problems are decidable - and sketch 
the scheme of a proof of this result. 

Theorem 3.1. Given a timed automaton A, it is deeidable whether there is an e = 1/k for 
some k gN such that 

• L^{A) = L{A) and 

• L'^{A) = L'^{A). D 

First, we claim that this theorem is true for timed automata with less than two clocks. It is 
trivially true for timed automata without clocks (|C| = 0). In Section [6] we show that for a 
timed automaton A with only one clock (|C| = 1), -Li/2(^) = L{^) and ^^2(^4) = L'^(yl). 
We assume that \C\ > 2 in the rest of the paper. 

In Section |4] we develop a tool of independent interest - a non-trivial extension of R- 
automata. These automata contain unbounded counters which can be incremented, reset 
to zero, copied into each other, and updated by a special type of max operations. We show 
that the limitedness problem, i.e., whether there is a bound such that all accepted words can 
be also accepted by runs along which the counters are smaller than this bound, is decidable 
for these automata. 

The proof of decidability of the sampling problem for timed automata with more than 
one clock consists of several steps depicted in Figure U) We start with a given timed au- 
tomaton A. The first step is of a technical character. We transform the timed automaton 
A into an equivalent timed automaton A' with respect to sampling which never resets more 
than one clock along each transition. In the second step, we build the region graph G for 
this timed automaton A' . The essential part of the proof is then the third step. Here we 
transform the region graph G into an extended R-automaton R such that each run in R has 
a corresponding path in G and vice versa. Moreover, for each run in R and the correspond- 
ing path in G, there is a relation between the sampling rate which allows for a concrete run 
along the path and the maximal counter value along the run. The automaton R operates on 
an extended alphabet - we have inherited one additional letter 5 for time pass transitions 
from the region graph. In the last step, we remove the transitions labeled by 6 and build 
another extended R-automaton R' such that the timed automaton A' can be sampled if and 
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only if R is limited. This step makes use of the fact that the transitions labeled by 5 do 
not change the counter values, which allows us to use the standard algorithm for removing 
e-transitions in finite automata. 




remove multiple resets 
sampling equivalent i 



Relation between counter 
values and e along all runs \ 




Figure 4: An overview of the proof structure. The abbreviations TA^ RG, and ERA stand 
for Timed Automaton, Region Graph, and Extended R-Automaton, respectively. 

The first and the last step are rather straightforward and we show them in Section 
The new model of extended R-automata is presented in Section [H Section 14.31 shows how 
to reduce the limitedness problem for extended R-automata to the limitedness problem of 
R-automata, which was shown decidable in |AKY08) . Finally, the main reduction step, the 
translation of a region graph (induced by A') into an extended R- automaton R and the proof 
of relation between A' and R, together with an informal overview is shown in Section [S] 

4. Extended R-automata 

In this section, we present an extension of R-automata. R-automata are finite state 
machines with counters which can be updated by the following instructions: no update, 
increment and reset to zero (0,1, r, respectively). We extend the set of instructions by a 
copy of one counter value into another counter and taking a maximum of the counters and 
sums of pairs of counters under specific conditions. For this extension, we show that the 
limitedness problem is decidable by a reduction to the universality problem of R-automata, 
shown decidable in |AKY08| . 



4.1. Extensions of R-automata. Before we define syntax and semantics of extended R- 
automata, we give some informal introduction. The first extension is adding the ability 
to copy the value of one counter into another counter. The instruction set is extended by 
instructions *j, where j is a counter name and applying this instruction to a counter i results 
in the counter i having the value of the counter j. 

The other extension we need in order to reduce our problems for timed automata to 
limitedness of counter automata (taking maxima of counters and counter sums) is rather 
semantical than syntactical. The only syntactical change is that the reset instruction is 
equipped with a subset of counters, i.e., if n is the number of counters, reset instructions are 
r(A), A C {1, . . . , n}. The semantics maintains three values for each counter (P, M, N) and 
a preorder < on the counters. This rather nonstandard terminology - a counter containing 



SAMPLED SEMANTICS OF TIMED AUTOMATA 



three values - makes the definitions in this section and proofs in Section 14.31 simpler. One 
can see this as if for a counter i we now have three new counters Pi , Mi , and Ni . 

The values Ni behave in the same way as for R-automata with copying. The preorder 
tells us how to apply the max operation to the values P and M. These values of a counter 
j are always greater than these values of a counter i such that i ^ j- More concretely, if 
i ^ j then Mj > Mi + 1 and ii k,l ^ j then Pj > P^ + Pi. The way in which we update 
the preorder < along the transitions ensures that, informally, for all counters i, the values 
Pi and Mi cannot grow unbounded along a run where Ni is bounded. 

Syntax. Let for a given number n of counters, 8 = {0, l}U{r(A)|A C {1, . . . ,n}}U{*r7T,|l < 
m < n} be the set of instructions on a counter. An extended R-automaton with n counters 
is a 5-tuple R = {S, S, A, sq, F) where 

• S" is a finite set of states, 

• S is a finite alphabet, 

• ACS'xSx£^"'xS'isa transition relation, 

• So S 5" is an initial state, and 

• F Q S is a, set of final states. 

Transitions are labeled (together with a letter) by an effect on the counters. The symbol 
corresponds to leaving the counter value unchanged, the symbol 1 represents an increment, 
the symbol r{A) represents a reset (the function of A will be explained later), and a symbol 
*j means that the value of this counter is set to the value of the counter j. The instructions 
0, 1, and r(A) take place first and after that the values are copied. An automaton which 
does not contain any copy instruction and all resets contain an empty set is called an R- 
automaton (effects contain only 0,1, r(0)). We skip the subset of counters A and write r 
instead of r{A) when the set does not play any role (e.g., in the whole of Section [4. 2p . 

We use t,t',ti,... to denote elements of f" which we call effects. By vrj(t) we de- 
note the i-t\i projection of t. Without loss of generality, we assume that the value of a 
counter is never directly copied into itself (vrj(t) 7^ *«). A path is a sequence of transitions 

{si,ai,ti,S2),{s2,a2,t2,S3), . . . , {Sm,am,tm,Sm+l), SUch that VI < i < m.{si,ai,ti,Si+i) G 

A. We use Si to refer to the i-th state of the path. An example of an extended R-automaton 
is given in Figure [5j 



6,(0,1) 




Figure 5: An R-automaton with two counters. 
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Unparameterized semantics. We define an operation © on the counter values: for any 
fcsN, k (B = k, A;©1 = A; + 1, and fc r = 0. We extend tliis operation to n-tuples 
and copy instructions as follows. For a t S £"", let t be an effect with all copy instructions 
replaced by 0, i.e., 7rj(t) = 7rj(f) if 7rj(t) G {0, l,r{A)} and 7rj(t) = otherwise. For a t (z £" 
and (ci, . . . , c„) G N", (ci, . . . , c„) © t = {c[, . . . , c'^), where c- = Cj © nj{i) if 7rj(t) = *j for 
some j and c^ = q © 7rj(t) otherwise. For example, (1, 5, 7) ffi (1, *1, *2) = (2, 2, 5) - first we 
increment the first counter and then we copy the values of the first and the second counter 
into the second and the third counter, respectively. 

The operational semantics of an extended R-automaton R = (S, T,, A, sq, F) is given by 
an LTS {R} = (5, S,r, sq), where the set of states S contains triples {s,C,'^), s G S", (7 G 
N" X N" X N"", ^ is a preorder on {1, . . . , n}, with the initial state sq = (sq, Cq, 0), where 
Co = (0", 0", 0"). For a C G N'' X N'' X N", we denote the first projection by P, the second 
projection by M, and the third projection by N. I.e., P,M,N e N" and C = {P,M,N). 
For 1 < i < n, we denote by Pi, Mi, or Ni the i-th projection of P, M, or N, respectively. 
The role of the preorder < and of the counter valuation is informally explained below the 
formal definition of the transition relation. We introduce a shorthand i — j for (i < jAj < i) 
and z < i for (i < j A ^(j < i)). 

The transition relation is defined as follows: ((s,C, <),a, (s', C',<')) G T if and only 
if {s,a,t,s') G A and C',<' are constructed by the following three steps (executed in this 
order) : 

(1) P' = P®t,M' = M® t, and TV' = iV © t 

(2) The preorder <' is constructed in two steps. First, i <' j if and only if either: 

{^) ^ ^ i ^-iid TTi{t) G {0, l},7rj(t) G {0, 1} and it is not true that j < i, ni(t) = 1, and 
7rj(t) = 0, or 

(b) TTi{t) = r{{j} U A) and N'j > 0, or 

(c) TTi{t) = *j or Trj{t) = *i. 

Secondly, add the transitive and reflexive closure to <'. 

(3) Repeat the following until a fixed point is reached: if ^ ^ J then set M- = max{M-, 
Ml + 1} and if A:, / < j then Pj = maxjPj, P^ + P[}. 

We shall call the states of the LTS configurations. We write (s,C,<) — > (s',C',<') if 
{{s,C,<),a,{s',C',<)) G T. We extend this notation to words, {s,C,<) ^ {s',C',<'), 
where w G S+. 

Note that the values N of the counters are updated only by the instructions 0, l,r{A) 
and *j (Step[T]). The values M and P of the counters are updated by these effects as well 
(Step[T]), but they can also be increased by the max operation (Step [3]). Namely, A'^j > 
implies that Mi > and Pi > 0. Clearly, there is always a fixed point reached after at most 
n iterations of Step [3j 

The preorder < in a reachable state {s,C,'^) relates counters i,j only if the values 
Mi, Pi are smaller than or equal to Mj,Pj {i < j implies Mj < Mj,Pi < Pj). Especially, 
i — j implies Mi = Mj , Pi = Pj . This is satisfied in the initial state (trivially) and preserved 
by updates in Step [2j There, the effects influence the preorder < in the following way: an 
equality is broken if one counter is incremented and the other one is left unchanged (Step[2aj). 
a reset removes the counter from the preorder and puts it below non-zero counters indicated 
in the reset (Step [2b|) . and a copy instruction sets the counter equal to the counter whose 
value it copied (Step [2c]). In other cases, the relation is preserved (Step [2al) . An example of 
the effect of Step [2] on a preorder is in Figure [H 
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Figure 6: An example of updates of < after applying the effect (0, 1, 0, *2,0,r({5})). The 
diagram on the left side depicts < and the diagram on the right side depicts <'. 
Step [2a] sets 1 <' 3, 2 <' 3,5 <' 3,1 <' 2. It does not set 2 <' 1, because the 
counter 2 was incremented while the counter 1 was left unchanged. Step [2b] sets 
6 <' 5 (we assume that N'^ > 0). Step [2c] sets 4 <' 2, 2 <' 4. The transitive and 
reflexive closure completes <' to a preorder. 

Another view on the preorder is what sequence of effects results in i ^ j. This can happen 
only in the following three ways. First, when i is reset with j in the set, i.e., by r{{j} U A), 
and Mj > 0. Second, i is copied to j or j is copied to i and then j is incremented by 1 while 
i stays unchanged (the instruction is 0). Third, the relation i ^ j can also be a result of the 
transitive closure. If already i ^ j holds then it can be broken only by a reset or a copy of 
one of these two counters. 

The preorder < influences only the values P and M. If we skip Step [2] in the semantics 
(which would result in < to be empty in all the reachable states) then P = M = iV in all 
the reachable states. Also, changes of the values N along a transition depend only on the 
effect and not on < in the starting state. 

We could also view our extension as R-automata which can perform max operations on 
the counters along the transitions. The motivation for introducing the preorder < instead 
of allowing explicit max operations as instructions on the transitions is to restrict the usage 
of max operations so that Lemma 14.71 and Lemma 14.81 hold. Unrestricted usage of max 
operation is equivalent to alternation. Limitedness has been shown decidable for alternating 
cost tree automata in [CLOSaJ, but resets have to follow a hierarchical (parity-like) discipline 
in these automata and copying in not allowed. 

Paths in an LTS are called runs to distinguish them from paths in the underlying 
extended R-automaton. Observe that the LTS contains infinitely many states, but the 
counter values do not influence the computations, since they are not tested anywhere. In 
fact, for any extended R-automaton R, ^Rj is bisimilar to R considered as a finite automaton 
(without counters and effects). 

Parameterized Semantics. Next, we define i?-semantics of extended R-automata. The 
parameter i? is a bound on the counter values N which can occur along any run. For a 
given B € N, let Sb be the set of configurations restricted to the configurations which do 
not contain a counter whose N values exceed B, i.e., Sb = {{s, C, <) | (s, C*, <) G 5* A (7 = 
(P, M , N) A VI < i < n.Ni < B}. For an extended R-automaton R, the B-semantics of R, 
denoted by [[i?]B, is {RJ restricted to 5^. We write {s, C, <) — >b («', C', <') to denote the 
transition relation of [PJb. We extend this notation to words, {s,C,'^) — >b {s',C','^), 
where w € S"*". 
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Language. The (unparameterized or B-) language of an extended R-automaton is the set 
of words which can be read along the runs in the corresponding LTS ending in an accepting 
state (a configuration whose first component is an accepting state). Formally, for a run p in 
[[-R| , let l{p) denote the concatenation of the labels along this run. A run p = {sq, Cq, 0) — >* 
{s, C, <) is accepting if s E F. The unparameterized language accepted by an extended R- 
automaton R is L{R) = {l{p)\p is an accepting run in {R}}- For a given S G N, the 
B-language accepted by an extended R-automaton R is Lb{A) = {l{p)\p is an accepting 
run in [i?]]^}. The unparameterized language of the extended R-automaton from Figure [5] 
is ab*a* . The 2-language of this automaton is a(e + b + bb + bbb)a* . We also in the standard 
way define the language of infinite words for R-automata with Biichi acceptance conditions, 
denoted hy L'^{R),L%{R). 

Limitedness/Universality. The language of an extended R-automaton R is limited or 
universal if there is a natural number B such that Lb{R) = L{R) or Lb{R) = S*, respec- 
tively. The definition of these problems for w-languages is analogous. We show in Lemma [4. II 
that it is decidable whether a given extended R-automaton is limited or universal and in 
Lemma 14.71 and Lemma 14.81 that this concept would not change even if we limit the P or M 
values in the definition of i?-semantics. 

We could split an extended R-automaton into three different automata which would 
maintain only one of the values P, M, N. Later on, in the reduction from timed automata to 
these automata, we use only P values. The presentation which we chose (all values together 
in one automaton) simplifies the notation for the proofs of Lemma 14.71 and Lemma 14.81 

4.2. Limitedness of Extended R-automata — Copy Operations. First, we show that 
the limitedness problem for extended R-automata is decidable. In this section, we deal only 
with the N values of extended R-automata. We ignore the preorder < (as it is not needed 
for calculating the N values) and when we say that a counter i has a value k then we mean 
that Ni = k. We also write only r instead of r{A). The decidability proof reduces the 
limitedness problem for extended R-automata to the limitedness problem of R-automata. 
It has been shown in |AKY08J that the universality problem of R-automata is decidable, 
but it is easy to see that this procedure can be used also to decide the limitedness problem. 
We create a disjoint union of the R-automaton in question and its complement (where the 
automaton is considered without effects, as a standard finite automaton). We add effects 
(0, . . . , 0) on all transitions of the complement. This automaton is universal if and only if 
the original R-automaton is limited. 

Lemma 4.1. For a given extended R-automaton R, the questions whether there is B £ N 
such that Lb{R) = L{R) (and L%{R) = F^{R)) is decidable. D 

The rest of this subsection proves this lemma. In order to avoid unnecessary technical 
complications in the main part of the proof, we restrict ourselves to extended R-automata 
with at most one copy instruction in each effect. We show how to extend the proof to the 
general model at the end of this subsection. We reduce the universality problem for extended 
R-automata to the universality problem of R-automata, for which this problem has been 
shown decidable in [AKYOBj . 
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Construction. As the first step, we equip each R-automaton with a variable called parent 
pointer for each counter and with the ability to swap the values of the counters. The parent 
pointers range over {null} U {1, . . . , n}, where n is the number of the counters. We shall use 
them to capture (a part of) the history of copying. We observe that for each R-automaton one 
can encode the value swapping and the parent pointers into the states. To express properties 
of this encoding more formally, let us assume that the transitions in the semantics LTS are 
labeled also by the counter values (in the order encoded by the automaton) and the parent 
pointers. For each R-automaton R with parent pointers and value swapping, we can build 
an R-automaton R with IS"] • n! • 2" states bisimilar to R, where l^j is the number of the 
states of R. Moreover, any number of value swaps and parent pointer operations can be 
encoded along each transition of R together with standard updates (increments, resets). R 
can also branch upon the values of the parent pointers. 

Before presenting the construction, we give some informal motivation for using parent 
pointers and counter swapping. When an automaton copies a value of a counter i to a 
counter j then, from this time point on, the values in these two counters develop indepen- 
dently. Any of them might eventually exceed an imposed bound. The simulating automaton 
has, however, only one copy of this value stored in the counter i. Therefore, the best the 
simulating automaton can do is to use this value to track the evolution of one of the two 
values from the original automaton. For the other value, we start simulating its evolution 
from (which is easily done by a reset), hoping that the loss of the value accumulated in 
the counter i can be bounded in some way. 

Let us look a bit closer on what do we mean by evolution of a value (formalized as a 
value trace in Definition 14.21 below). A value contained in a counter i after t computation 
steps is alive after k additional steps of computation (i.e., at the time point t + k) if there 
is a counter whose value at the time point t + k was obtained from the original value (i.e., 
the value contained in the counter i at the time point t) by incrementing and copying 
(0, 1, *k operations). Each sequence of these operations which witnesses that a value is alive 
constitutes an evolution of this value. A value dies if all of its copies are reset or overwritten 
by a copy of some other value. 

The simulating automaton has to choose which of the two counters does it want to 
simulate with the original value accumulated in the counter i. We want the automaton to 
choose the counter whose value stays alive longer. The reason is as follows. There has to 
be an evolution which witnesses this property. This evolution occupies at least one counter 
during the whole lifetime of this value. Because the other value lives shorter, it has strictly 
fewer counters for copying itself. This gives us an inductive argument resulting in an upper 
bound on the number of simulation resets, i.e., resets introduced to simulate copy operations, 
along each value evolution (being the number of the counters) . 

Technically, the automaton chooses a counter non-deterministically (by possibly swap- 
ping the values) and it uses parent pointers to verify the correctness of all choices. After 
each choice, it updates the parent pointers so that a pointer pointing from a counter i to 
a counter j expresses the guess that the value which is currently in the counter j will live 
longer than the value in the counter i. We are interested only in relations between values 
which have the same origin (one value was created as a copy of another). Therefore, it is 
enough to have only one parent pointer for each counter. One can then detect from the 
parent pointers and an effect whether applying this effect would violate the guesses. 

Figure[7]depicts a sample run of an extended R-automaton with three counters initialized 
with zeros. The solid (blue) line denotes an evolution of the initial value of counter 3 (its 
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Figure 7: An example run of an extended R-automaton with an illustration of value evo- 
lution and parent pointers. The twelve effects above are applied to the three 
counters below in twelve consecutive steps. The solid (blue), dashed (green) and 
dotted (black) lines depict value evolutions ending with a cross. Arrows show 
parent pointers in a correct simulating run. 



value trace). Other lines denote alternative evolutions of the same value, but they are all 
shorter than the solid (blue) one. Crosses at the ends of the lines show the points where 
the alternative value dies. The arrows depict parent pointers along a correct run of the 
simulating automaton. They always connect the traces with the same splitting point and 
they point from the shorter to the longer one. As an illustration of how do parent pointers 
serve for detecting wrong guesses, imagine that the parent pointer between counters 2 and 
3 in the third step (the first one with the effect (1, *3, 0)) has been set the other way round, 
i.e., pointing from the counter 2 to the counter 3. At the fifth step (the first one with the 
effect (1, l,r)), the automaton knows directly from the effect that the value in the counter 
3 dies and the value in counter 2 is still alive. This is not consistent with the parent pointer 
and the automaton would enter an error state. 

The simulating automaton uses the counter value for the longer value trace (by possibly 
swapping the counter values) and resets the other counter to 0. In our example, a value 
trace splits in two with each copy operation. The value trace which keeps the style (color) 
is simulated by the counter value, while the one denoted by a different style (color) resets 
the counter value. The key observation for the simulation correctness is that when the value 
is reset twice (in our example with three counters) in copy simulations then it cannot be 
copied to another counter, because it would violate some parent pointers. Therefore, it 
cannot be reset in another copy simulation anymore. This is the case for the dotted (black) 
value traces. 

Now we can present the reduction by constructing an R-automaton R which uses counter 
value swapping and the parent pointers for each extended R-automaton R such that R is 
limited if and only if R is limited. R has all the states of R together with an error sink 
and it has the same initial state sq and the same set of accepting states as R. The error 
sink is a non-accepting state with no outgoing transitions except for self-loops labeled by 
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S and effects (0, . . . , 0) wfiich do not swap any counter values and do not manipulate the 
parent pointers. The automaton starts in the initial state with all parent pointers set to 
null. To define the transitions of R, we need to encode copying by resets, value swapping 
and updates of parent pointers. To do this, we replace each copy by a reset, possibly with 
some (non-deterministic) value swapping and bookkeeping of the parent pointers. 

For each transition of R we either construct simulating transitions or a transition going 

to the error sink. Let us denote the simulated transition of i? by s ^-t- s', where t = 
(ei, . . . , en). If there are counters k, I such that e^ € {0, 1}, e/ ^ {0, 1}, and the parent pointer 
of k points to (is set to) / then we create a transition going to the error sink. Otherwise, 

we build simulating transitions s ^-^ s' in R labeled by an effect t' 



-D' 



, e^), which 



might also swap some counter values and manipulate the parent pointers (denoted by sp). 

If t does not contain any copy instruction then there is one simulating transition with 
t' = t and for all i such that ej = r, we set i's parent pointer to null. No counter values are 
swapped. 

If t contains a copy instruction e^ = *j then we create two simulating transitions. Each 
of them has the same effect t' = {e'l, . . . , e^), where e^ = e^ if /c 7^ i and e[ = r. These two 
transitions give the simulating automaton a non-deterministic choice between the counters i 
and j. The first transition corresponds to the choice of j. Along this transition, we perform 
the effect and set i's parent pointer to j. No counter values are swapped. Along the other 
transition (corresponding to the choice of i), we perform the effect, swap the values of the 
counters i and j, we copy the value of j's parent pointer into i's parent pointer, we change 
the value of all parent pointers with value j to i, and finally we set j's parent pointer to i. 
Both transitions also set the A:'s parent pointer to null for all k such that e^ = r. An example 
of the construction of simulating transitions for a transition with an effect containing a copy 
instruction is depicted in Figure [H 
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Figure 8: An example of the construction of simulating transitions for a transition from s to 
s' labeled with an effect (1,0, *2,r, 1). In this example, the simulating transitions 
start from the state s with the parent pointers set to the values 2, 5, null, 1, null 
(for the counters 1, 2, . . . , 5) and the counter values set to (2, 5, 9, 1, 8). The parent 
pointer values and the counter values only illustrate the parent pointer manipu- 
lations and the application of the effects, they might differ in actual runs. 
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Proof of Correctness. Intuitively, the choice of a counter in the copy instruction tells that 
the value in this counter will be destroyed by a reset or overwritten by a copy instruction 
later than in the counter which was not chosen. The structure of the copies is captured by 
the parent pointers in the following sense. If the counter i points to the counter j then i 
contains an immediate copy of j (but possibly modified by increments) and its value will be 
destroyed earlier than the value in j. The automaton ends in the error sink if it witnesses a 
violation of some of these implicit claims, i.e., the value in the counter i is destroyed earlier 
than the value in the counter j. 

First, we formalize the concept of the evolution of a value and define the corresponding 
runs. Then we show existence of corresponding accepting runs. Later on we use the fact 
that the parent pointers along the simulating traces have a special structure to show the 
correctness of the simulation. 

Definition 4.2. For a path a of length |o"| in the extended R-automaton (considered as 
a graph) with n counters and for two natural numbers 1 < i < j < \cr\, a, total function 
vt : {i,i + 1, . . . ,j} — > {1, . . . , n} is a value trace if for all k such that i < k < j, t is the 
effect on the transition between the k-th. and k + 1-st state on a, vt{k) = a, vt{k + 1) = 6, 
the following holds: if a ^ b then 7rf,(t) = *a and if a = b then 7rf,(t) € {0, 1}. 

A value trace follows a value from some time point during its evolution (increments, 
copying) in an extended R-automaton. A value trace ends before the value is overwritten by 
a copy instruction or reset. We also talk about a value trace along a run. Then we mean a 
value trace along a path which has induced the run. We order value traces by the set inclusion 
on their domains (e.g., vt : {2, 3} — > {1, . . . , n} is smaller than vt : {2, 3, 4} — > {1, . . . , n} 
regardless of the actual function values) . We define the length of a value trace as the size of 
its domain. 

Now we define the correspondence between accepting runs in an extended R-automaton 
R and in its corresponding R-automaton R. We say that a run p of R over w and a run 
p' of R over w are corresponding if for all i the i-th transitions of p, p' are obtained by 

executing the transitions s —^ s' and s ^-^ s', where s ^-^ s' is a simulating transition 

of s —^ s'. We show that for each accepting run of one automaton there is an accepting 
corresponding run of the other automaton. It follows immediately from the definitions that 
for each accepting run of R there is exactly one accepting corresponding run of R. 

The other direction is more complicated, because we have to show that R can choose 
correct values for non-deterministic choices in the copy instruction so that it does not end 
up in the error sink. For each accepting run p of R, we construct an accepting run p' of R 
as follows. We label each counter j in the k-th state of p (for all k < \p\) by the length of 
a maximal value trace vt with domain being a subset of {k, k + 1, . . . , \p\} and vt{k) = j 
(this label is called expectancy). R takes the simulating transition for each transition of p 
(according to the rules above) and when it has to choose between i and j (ej = *j) along 
a transition ending in the fe-th state, then it chooses i if and only if the expectancy of i 
in k is greater than the expectancy of j in k (expectancy rule). We show that this is a 
valid definition, i.e., the corresponding run of R does not end up in the error sink. The 
main step in the proof is to show that the parent pointers always point to the counters with 
expectancy which is greater than or equal to the expectancy of the counter which owns the 
parent pointer. 
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Lemma 4.3. For each accepting run p of R there is an accepting corresponding run p' of 
R. 

Proof. We prove by induction that for each prefix of p there is a simulating run which does 
not contain the error state such that for any state along p' and any two counters i,j in this 
state, if the parent pointer of i points to j then the expectancy of j is not smaller than that 
of i. Such a simulating run for \p\ will also be accepting. 

The basic step (i.e., the prefix length is 0) is trivial. For the induction step, let us 
assume that there is a simulation of the prefix of length k satisfying IH. To simulate the 
k + 1-st transition, we follow the expectancy rule. 

Because of the induction hypothesis and the definition of expectancy, there are always 
simulating transitions (and not a transition leading to the error sink). If there is a copy 
instruction e, = *j in the transition, the non-deterministic choice is performed according to 
the vt function, so the result again satisfies the induction hypothesis. The transfer of the 
parent pointers does not violate it either, because expectancy of j in k is equal to 1 plus 
the maximum of the expectancies of i and j in k + 1. The resets do not establish any new 
parent pointers, so the result again satisfies the induction hypothesis. The other instructions 
result in decrementing the expectancy, which preserves the induction hypothesis for all the 
pointers inherited from the previous state as well as for the pointers changed by the copy 
instruction. □ 

Let us introduce the parent pointer relation — >-p for a state of i? as a relation on counters 
where i— )-pj if and only if the parent pointer of i is set to j. 

Lemma 4.4. Let p be a run of R. The transitive closure of —^p is antireflexive in all states 
of p- 

Proof. We prove by induction that for each prefix of p, the transitive closure of -^p is 
antirefiexive in all states of the prefix. 

The basic step is trivial, — 7>p is empty in sq. For the induction step, we need to check 
that a single transition does not violate the antireflexivity. If the transition leads to the 
error sink then —^p is not changed. Otherwise, it is a simulating transition defined by the 
rules above. The resets make — 7>p smaller and 0, 1 do not change it. In the copy instruction 
Cj = *j, we introduce one new pointer, but we know that nothing points to i, because of 
the condition on creating the simulating transitions and the fact that the parent pointers 
of all reset counters are set to null. In the first case (j has been chosen), we set i's parent 
pointer to j, which cannot introduce a loop, since nothing points to i. In the second case 
{i has been chosen), since we have redirected all the pointers pointing to j to i, there is 
nothing pointing to j and newly introduced j^pi cannot create a loop. Also, since there 
was nothing pointing to i previously, the only pointers pointing to i now are those that 
previously pointed to j. □ 

This leads to the following definition of ranks. For a counter i in a state s of i? we 
define rank(s,i) inductively by rank(s,i) = if the parent pointer of z in s is null and 
rank(s,i) = rank(s,j) -|- 1 if i^pj in s. From Lemma 14.41 we have that the ranks are 
well-defined and it follows directly from the definition that the rank of a counter is always 
bounded by the number of the counters. Now we formulate a lemma saying that the ranks 
never decrease along a value trace. 

Lemma 4.5. Let p be a run of R and vt be a value trace. Then for k < I such that 
vt{k),vt{l) are defined, rank{sk,vt{k)) < rank{si,vt{l)). 
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Proof. We show this claim by induction on I — k. The basic step is that / = k and then 
rank{s k,vt(k)) = rar\k{si,vt{l)). For the induction step we have two cases. If the transition 
leads to the error sink then -^p is not changed and therefore the ranks do not decrease. 
Otherwise, it is a simulating transition defined by the rules above. Because of the condi- 
tion on creating the simulating transitions, we never decrease any rank by a reset. The 
instructions 0, 1 also do not decrease any rank. Copy increases the rank of the branch with 
smaller expectancy (and the counter is reset) and keeps the rank for the branch with bigger 
expectancy (the one which keeps the value) unchanged. Because of the careful manipulation 
with the pointers, no ranks which depend on the rank of the longer branch change either. □ 

The main property of the reduction is stated in the following lemma. The correctness 
of Lemma 14.11 is then a direct corollary of this lemma. 

Lemma 4.6. Let R be an extended R-automaton with n counters and with at most one copy 
instruction in each effect and R he the simulating R-automaton constructed as above. For 
each B and for each word w, w (z Lb{R) =^ w £ Lb{R) and w € Lb{R) =^ w £ Ln-siR)- 

Proof. The first implication: we know from Lemma 14.31 that for each accepting run p of R 
over u! there is a corresponding accepting run p' of R over w. It follows directly from the 
construction that for all k < \p\, the counter values in the k-th. state of p' are bounded by 
the counter values in the A;-th state of p. All instructions are simulated faithfully except for 
replacing copy instructions by resets along p'. 

The second implication: by contraposition, let us for each B consider a word w such 
that w ^ LnBiR)- Any accepting run p' of R over w must satisfy Lemma 14.51 Let vt be 
a maximal value trace for a value which exceeds n ■ B in p. We study the evolution of this 
value in p' . It is simulated faithfully except for some possible resets in the copy instructions. 
But for each such reset, the rank of the counter strictly increases. Therefore, there can be 
at most n — 1 such resets and there must be a state in which this value exceeds B. □ 

Now we show that the result holds also for extended R-automata with any number of 
copying in each step. Let us view the relation "i is copied to j" induced by an effect t as 
a directed graph (counters are nodes, there is an edge from i to j if 7rj{t) = *i). Because 
each node can have at most one incoming edge, such a graph is a collection of simple loops 
with isolated paths outgoing from them (nodes with no incoming edge are considered as 
degenerated loops) . We can split application of such an effect t into an equivalent sequence 
of effects with at most one copy instruction and some swapping of the values and the parent 
pointers as follows. First, we perform t (all increments and resets). Then we pick one of 
the counters j such that j has no outgoing edge and it has an (exactly one) incoming edge 
from i. We copy the value of i to j and leave all other counters unchanged, which can be 
described by the effect (0, . . . , *i, . . . , 0), where *i is on the j-th. position. Then we remove 
the edge connecting i and j and continue to pick another such counter. When there is no 
node j with no outgoing edge and with an incoming edge, there still might be loops in the 
copying graph. We simply swap the counter values and the parent pointers in the loops. 
Because of the order in which we have copied the counters, the effect of this sequence of 
transitions with at most one copy instruction and swaps is the same as that of the original 
transition. Also, the correctness does not depend on the order in which we choose the edges. 
A careful analysis shows that this sequence of transitions can be encoded into one simulating 
transition in R-automata with value swapping and parent pointers. 
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4.3. Limiting Maxima in Extended R-automata. Let for a state (s, (P,M, iV), <) in 
a run of an extended R-automaton with n counters, the A^-value (M-value, P-value) of this 
state be max{A^j|l < i < n} (max{Mj|l < i < n}, max{Pj|l < i < n}, respectively). Let 
for a run p of this automaton, the A^- value (M-value, P- value) of the run be the maximum 
state A^-value (M-value, P-value) over all states along the run. We denote this value by 
N{p) (Mip), Pip)). 

Lemma 4.7. Let R be an extended R-automaton with n counters and let i? € N. For all 
runs p of R, if N{p) < B then M{p) < S". 

Proof We show a stronger claim, namely that if a run p starts in a state with the M-value 
equal to b and N{p) < B then M[p) <b-\- B"", by induction on the number of counters n. 
The basic step (n = 1) is trivial, because Step [3] will never change the counter value and 
thus M{p) = N{p) <B. 

Let us assume that the claim holds for automata with n counters. We show that it 
holds for automata with n + 1 counters. Let us fix a run p and a B £ N. Let us without 
loss of generality assume that the counter which reaches the greatest M value is the counter 
n + 1. First, we argue that there is an extended R-automaton and a run of this automaton 
starting with the same counter values as p which has the same M-value as p, along which 
the counter n + 1 is never updated by a copy instruction and never reset. 

The argument for the copy instructions is straightforward, each copy instruction makes 
the source and the target counter equivalent both in the values which it contains (Step [1]) 
and in the preorder < (Step[2cl). Therefore, we can permute the instructions in the effects 
(intuitively, rename the counters) in the prefix of the run leading to the copy instruction so 
that the value is accumulated in the counter n + 1 and then copied to the other counter. 

If the counter n + 1 is reset then its values can be incremented only by 1 and via the 
max operation with other counters which are reset later. This follows from the fact that 
n + 1 is a minimal element of < after it is reset. This is the same situation as if the run 
started with all counter values equal to zero (Co) and < empty. 

Therefore, the counter n + 1 can be updated only by 1 and (where does not increase 
M„_|_i and there can be at most B increases by 1) and M„+i can be increased by the max 
operation. We show that M^+i can grow by at most B^ between any two increments by 1. 

Between any two increments by 1, the value M„_|_i can grow only by application of the 
max operation with the counters i such that i ^ n + 1 (Step [3]). These counters cannot make 
use of the counter n + 1 (cannot increase their M- values more than if there was no counter 
n + 1). The only way for a counter i to use the counter n + 1 is to apply i = *(n + 1), 
but this would set z ~ n + 1 (Step [2cj) . To set i ^ n + 1 back again, we would have to 
reset i (instruction r({n + 1} U A)) or copy some other counter j such that j ^ n + 1 into 
i (instruction i = *j) (follows from Step [2]). But this would have the same effect as if i was 
updated by until this state and then reset or copied. Hence, the claim that M„+i can 
grow by at most B'^ between any two increments by 1 follows from IH. □ 

Now we show that the P-values are bounded by an exponent of the M-values. 

Lemma 4.8. Let R be an extended R-automaton with n counters and let B € N. For all 
runs p of R, if M{p) < B then P{p) < 2^. 

Proof. We show by induction on the length of the run that for all states (s, (P, M, N), <) 
along the run and for all 1 < i < n, Pj < 2 \ The basic step is trivial. We check that 
the claim is preserved by every update of the counters. Let us denote the values before 
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the transition by unprimed letters P, M and after the effect takes place with primed letters 
P',M'. Let the instruction (update) applied to the counter i be: 

• : The values of the counters do not change, the claim holds from IH. 

• 1 : We have that P^ = Pi + 1, M^ = Mt + 1. From IH, we know that Pi < 2^^\ From 
this we have that P^ = Pi + 1 < 2^^^ + 1. Because 2*^' > 1 for all Mi > 0, we have that 
2*'^- + 1 < 2 • 2^^» = 2^^'+i = 2*^«'. 

• r : This case is clear, P- = M- = 0. 

• *j : The claim follows from IH. 

• max : Let us discuss one application of the max operation (Step [3]) where the value 
of P/ is increased (if it is not the case then the claim holds from IH). li k,l ^ i then 
Pi = max{Pi,Pk + Pi} = Pk + Pi and M/ = max{Mi,Mfc + l,Mz + 1}. Without loss 
of generality, let us assume that Pk > Pi- Thus, J^' < 2 • Pfc < 2 • 2*^* = 2^^*=+^ Since 
M/ > Mfc + 1, we have that 2^'=+^ < 2*^^'. 

Update of all counters along each transition consists only of these updates. □ 

5. Encoding of Timed Automata to Extended R-automata 

Now we are ready to show the translation of timed automata into extended R-automata. 
Intuitively, we equip the region graph induced by a given timed automaton with counters 
whose values are updated as we move along a path in the region graph. The constructed 
extended R-automaton is equipped with two counters, Cxy and Cyx, for each pair of clocks 
X, y. These counters keep the information about the minimal distances between the fractional 
parts of the clocks. The distance is not characterized in an absolute manner, but relatively 
to a sampling unit e. Let the counter values be obtained after following a path in the region 
graph. The counters say how many e's at least have to be there between the fractional parts 
of two clocks in any state reachable by a concrete run of the timed automaton along this 
path in the region graph. 

If the fractional parts coincide then both Cxy and Cyx are equal to 0. If the fractional 
parts are not equal then Cxy contains a lower bound (as a number of e steps) on the distance 
from X to y (xy^) and Cyx a lower bound on the distance from y to x (jJXy). This lower bound 
is also tight - up to factor 2. If the extended i?-automaton reaches a state where Cxy contains 
12 along some path then each run in an e-sampled semantics along the corresponding path 
in the region graph will end up in a state where xy^ > 12 • e. If e = 0.01 then the distance 
between the fractional parts has to be at least 0.12. If e = 0.1 then this state is unreachable 
along this region graph path, because the difference between the fractional parts has to be 
always smaller than 1. Also, states where xy^ > 2 • Cxy ■ e holds for all clocks x,y can be 
reached along the corresponding path in e-sampled semantics. 

If the extended /^-automaton is limited then we can choose a sufficiently small e such 
that for each untimed word there is an accepting state which can be reached in e-sampled 
semantics (while reading this word). On the other hand, if the extended /^-automaton is 
unlimited then for each e we can pick a word which is accepted only with some counter 
exceeding 1/e. This means that there will not be any runs in e-sampled semantics accepting 
this word. 

The following examples illustrate how do we update the counters. First, we look at 
counter incrementing. If we start in the region where < x = y < 1 then the counters Cxy 
and Cyx are equal to 0. Assume that the automaton resets the clock x. Then the distance 
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between x and y has to be at least e (and the same holds for the distance from y to x). 
Hence, we increment both counters. After a (symbolic) time pass transition in the region 
graph, we come to the region where < x < y < 1. If the automaton now resets x again 
then the distance from x to y has to be at least 2 ■ e, while the lower bound on the distance 
from y to X can be arbitrarily small (but at least e). Therefore, we increment the counter 
Cxy, reset the counter Cyx and immediately increment it. 

Secondly, we describe a scenario where we need counter copying. Assume that the clocks 
X and y have different fractional parts and there is some value in the counter Cxy, say 54. 
We can reset clocks u and v within one time unit so that the fractional parts of u and x 
are the same and that the fractional parts of v and y are the same. Then we know that the 
difference between the fractional parts of u and v has to be at least 54 ■ e. To remember this 
fact, we copy the information from the counter Cxy to the counter Cuv Note that it is not 
enough to track both distances with one counter, because these distances can from now on 
develop independently. 

Finally, the last example motivates the maximum operation. Assume that we have 
three clocks x, y and z in a region where 0<x<y<2:<l and Cxy = 10, Cyz = 13. 
This means that the difference between the fractional parts of x and y has to be at least 
10 • e and the difference between the fractional parts of y and z has to be at least 13 • e. 
It follows that the difference between the fractional parts of x and z has to be at least 
23 ■ e. This fact has to be reflected in the value of Cxz, which has to be at least Cxy + Cyz- 
If the distance between the clocks y and z increases and the counter Cyz is incremented 
(as described above) then we have to update the counter Cxz so that it contains the value 
niax{Cxz, Czy + Cyz}- Symmetrically, the same holds for increments of the counter Cxy In 
our model, this is ensured by maintaining the pre-order < in such a way that Cxy ^ Cxz 
and Cyz ^ Cxz hold if and only if xy and yz are subintervals of xz (formally, D \= xyz)- 
Then the automaton automatically sets Cxz to Cxy + Cyz if this value becomes greater than 
Cxz- We update the pre-order < along the transitions by supplying additional information 
to reset operations. We track the "is subinterval of" relation for intervals between pairs of 
clocks, which is available directly from the region. 

In order to avoid summing up overlapping intervals we restrict the max operation of 
extended R-automata in the following way. The P counters are updated by a sum of two 
other P counters only if the other two counters do not have a lower bound in the < ordering. 
Formally, Step [3] in the unparameterized semantics definition now reads: 
[3l Repeat the following until a fixed point is reached: 

- if i < j then set Mj = maxjMj, M/ + 1} and 

— a k,l ^ j and $m.m ^ k Am < I then set P- = max{P', P^ + P/} 

We need this restriction in order to count each subinterval only once. As an example, 
consider a region where 0<a<b<c<d<l. Then, Cac ^ Cad and Cm ^ Cad, and 
therefore according to the original definition. Cad has to be at least as big as Cac + Cbd- This 
includes the difference between fractional parts of clocks b and c (represented by the counter 
Cbc) twice. This is not possible with the new definition, because Cbc ^ Cac and Cbc ^ Cm- 

Clearly, Lemma 14.81 holds also for this restriction, because the P- values will be always 
smaller than or equal to the P-values calculated according to the original definition. 

The rest of this section is organized as follows. First, we describe how to translate 
a timed automaton with at most one clock reset along each transition into an extended 
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R-automaton. Then we show three technical properties of the constructed extended R- 
automaton (Lemma 15. 11 Lemma 15.21 and Lemma l5.3p . In the rest of this section we prove 
the correspondence between the counter values along runs of the extended R-automaton 
and the minimal distances between the fractional parts of the clock values in the timed 
automaton (Lemma 15.41 and Lemma [5. 5p . 



Construction. Let G be the region graph induced by a given timed automaton A' with at 
most one reset in each transition. We build an extended R-automaton R from this region 
graph G. The extended R-automaton R has a state corresponding to each node in the region 
graph G and two auxiliary states for each edge in the region graph G corresponding to a 
discrete transition (an edge labeled by a G S). The initial state is the state corresponding 
to the node (qoiIz^o})- Accepting states are the states corresponding to the nodes {q,D), 
where q ^ F. We introduce two counters Cxy,Cyx for each pair of clocks x,y (z C where x 
is different from y. We use only the P values from the extended R-automaton and in the 
following we will refer to them simply by Cxy, Cyx- 

Since encoding of a single edge might need to perform multiple counter updates, we 
introduce a sequence of three transitions and two auxiliary states between them for each edge 
in G corresponding to a discrete transition of the timed automaton A' . These transitions are 
labeled by the same letter as the original edge. More precisely, let us have an edge in G from 
{q\ D') to (g, D) labeled by a, where a ^Ti. Then we create two auxiliary states qi, q2 (these 

states are unique for this transition, formally we should write q]^' '"'"^ ' ,(?2 ' '"'^ ' ' ^^^ 
without confusion, we skip the superscript) and three transitions from {q',D') to qi, from 
qi to q2, and from §2 to {q,D), all of them labeled by a. 

For edges corresponding to a time pass transition in A (edges labeled by 6), we introduce 
only one transition labeled by 6 directly leading to the state corresponding to the target 
node. More precisely, let us have an edge from {q', D') to (g, D) labeled by 5 in G. We 
create a transition in R from (g', D') to (g, D) labeled by 5. Later on, we show how to get 
rid of these transitions (and of the letter 5) while preserving the counter bounds. In fact, 
the standard construction for showing that regular languages are closed under projection 
works, because transitions labeled by 5 do not affect the counter values. 

Now we show how to label the transitions by effects. The transitions labeled by 5 and 
the transitions corresponding to an edge in G from {q',D') to {q,D) labeled hy a, a G S, 
where either D = D' (no clock is reset) or a clock x is reset such that x =£)/ (the clock 
had zero fractional part before reset) are labeled by the effect (0, . . . , 0) (all counters are left 
unchanged) . 

In other cases, we have transitions corresponding to an edge in G from {q' , D') to (g, D) 
labeled by a where a clock with non-zero fractional part is reset. Let us denote this clock 
by X. These transitions are labeled by effects created according to the following four cases. 
Counters which are not mentioned are left unchanged (the instruction is on all three 
transitions). The instructions are denoted by pairs C : 61,62,63, where C is the counter, 
to which the instructions are applied and 61,62,63 are the instructions (e^ is a part of the 
effect on the i-th transition). 
(1) The region D' has a clock a with zero fractional part (depicted in Figure [9|). 

(a) Gax,Gxa:ri^),0,0 

(b) u^ a. Cux ■ *Cua, 0, and Cxu ■ *Cau, 0, 0. 
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(2) The region D' has clocks a, d such that the fractional part of a is smaller than or equal 
to the fractional part of x and the fractional part of d is greater than or equal to the 
fractional part of x (depicted in Figure [TOj) . 

(1) u^a. Cxu ■■ *Cat,, 1,0 

(2) u^d. Cux : *Cud,l,Q 

(3) C^-a : 0, r({Crfa,Cj.„|Vn/ a,x}),l 

(4) Cd^:^,r{{Cda,Cu.\^u^d,x]),l 

(3) The clock x has strictly smaller fractional part than other clocks in D' (depicted in Fig- 
ure [TT|). We denote a clock with the smallest fractional part greater than the fractional 
part of X by a and a clock with the greatest fractional part by d. 

(1) u^x. a„: 1,0,0 

(2) u^d. a, :*C7w,l,0 

(3) Cd^:^,r{{Cda,Cu.\^u^d,x]),l 

(4) The clock x has strictly greater fractional part than other clocks in D' (depicted in Fig- 
ure [T2|)- We denote a clock with the greatest fractional part smaller than the fractional 
part of X in D' by d and a clock with the smallest fractional part in D' by a. 

(1) u^x. C„,: 1,0,0 



(2) u / a. Cxu ■■ *Can, 1,0 

(3) Ca,.a : 0,r({Cda,Ca;„|Vn/ a,x}),l 



x,a h f c 



I \ ^ \ \ 1 

1 

Figure 9: The region D' has a clock a with zero fractional part. The letter x' denotes the 
position of the clock x in D' (before it was reset). 



x' 
X a b ' c d 

I \ — \ ^ \ \ 1 

1 

Figure 10: The region D' has no clock with zero fractional part and the fractional part of x 
is neither strictly smaller nor strictly greater than all other clocks. The letter x' 
denotes the position of the clock x in D' (before it was reset). 



x' 
X , a b d 



H h 







Figure 11: The clock x has the smallest (strictly) fractional part in the region D' . The letter 
x' denotes the position of the clock x in D' (before it was reset). 

Let us by a complete transition denote a transition of R which simulates a time pass transi- 
tion or a sequence of three transitions of R which simulate a discrete transition. We call the 
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X 
h 





Figure 12: The clock x has the greatest (strictly) fractional part in the region D' . The letter 
x' denotes the position of the clock x in D' (before it was reset). 



states of R which are not auxiliary, i.e., the states reached by complete transitions, complete 
states. Figure [T3] shows the result of this construction applied to the timed automaton from 
Figure [TJ 

An informal alternative description of the updates by effects is that a counter is incre- 
mented if the distance between the two corresponding clocks grows and a counter is reset 
to 1 if the distance between the two corresponding clocks decreases and then the counters 
are updated to satisfy D \= xyz => Cxy + Cyz < Cxz) by the max operations. We take the 
liberty to apply the max operations only at the end of each complete transition. This does 
not affect validity of Lemma [4.8^ is sufficient for correctness of our construction, and it will 
simplify the proofs. 




(0,0) 



(0,0) 



(0,0) 



Figure 13: The extended R-automaton constructed for the timed automaton from Figure [TJ 
It has two counters Cxy and Cyx which are updated by effects in this order, i.e., 
an effect (1,0) increments the counter Cxy Complete states are labeled by a 
location and a region, whereas auxiliary states are labeled by si,S2, ■ ■ ■ Regions 
are characterized by the following constraints: Rq : = x = y,Ri : < x = 
y < 1, R2 ■■ = X < y < 1, Rs : < x < y < 1, R4 : < X < y = 1, R5 : = 
y < X < 1,Rq : < y < X < 1. The automaton is not bounded, because Cyx is 
incremented and never reset in the loop. 



Since we use the max operation, we need to take care of the preorder <. In order to do 
this, we need all the copy instructions in Items [2] - 2] and resets. Copying already assigns 
the desired value to the counter, which speeds up the applications of the max operation (as 
shown in Lemma [5.31 below) . 
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The important property of < is formalized in the foUowing lemma. The proof is rather 
technical and analyzes the items in the construction and the semantics of extended R- 
automata. 

Lemma 5.1. For all reachable complete states {{q,D),C,'^) of R, the following holds: 
(i) Cbc ^ Cad if o,nd only if for all u ^ D, bc^ < ad^, and 
(ii) Cab — Ccd if o-i^d only if for all v ^ D, ab^ = cd^ > 0. 

Proof. We show by induction on the length of a shortest path reaching {{q,D), C, <) that 
the claim holds. The basic step is trivial. For the induction step, observe that the claim 
that for all u ^ D, bcp < ady is equivalent to [D \= abc f\ D \= cda) V (a =o b f\ D \= 
acd) V (c =D d A D \= abc) and the claim that for all v ^ D. aby = cd^ > is equivalent to 
a =D c /\b =£) d. 

Point dil), "=>": Correctness of all inequalities introduced by Item [1] of the construction 
follows from IH. 

Item [2] of the construction introduces inequalities Cxu ^ Cau and Cux ^ C'ud) because 
of the copy instruction (Point [2c] in the semantics introduces equality) and then Cxu^Cux 
are incremented by the instruction 1, which breaks the equality into inequality (Point [2a| 
in the semantics). But it is clear from the analysis of the region D' and the observations 
above that the claim is satisfied. Item [2] also introduces inequalities by resets. The reset 
instructions are delayed by one transition (they take place on the second transition in the 
sequence) and therefore the inequalities Cxu ^ Cau and Cux ^ Cud are already established. 
This prevents the inequalities Cxa ^ Cau, Cdx ^ Cud to appear in the preorder. It is easy 
to verify from the region that the remaining inequalities which are established satisfy the 
claim. It follows from IH that the inequalities introduced by the transitive closure satisfy 
the claim. 

Item [3] does not introduce any new inequalities for Cxu, because there is no other counter 
Cab such that Cab — Cxu (IH, Point (jn])). The argument for the inequalities created by 
copying and resets is the same as for the previous item. 

Item |4] is dual to the previous item. 

Point (ji]), "<^": The fact that all required inequalities are created by Item [T] follows from 
IH. 

Items [2] - |4] have to create new inequalities for counters containing the clock x (we 
can find all of them by inspecting the regions). The copy instructions put Cxu — Cau and 
Cux — Cud (Point [2cl in the semantics). The counters Cxu, Cux are then incremented by the 
instruction 1, while the counters Cau, Cud stay unchanged (instruction 0). This results in 
the inequalities Cxu ^ Cau and Cux ^ Cud- The clocks Cxa, Cdx are reset by an instruction 
which contains all the important clocks. This (as defined in Point I2bl of the semantics, 
together with the transitive closure) creates all the necessary inequalities. 

Point ^ , " ^ " : Item [1] creates equalities by the copy instruction (Point [2c|) and the 
transitive closure, but the correctness follows immediately from the fact that a =d x and 
from IH (for the transitive closure). 

Items [2] -U introduce equalities by the copy instructions and the transitive closure, but 
because the clocks Cxu, Cux are incremented by 1 and the clocks Cau, Cud are left unchanged, 
the equalities introduced by the copy instructions are broken. The equalities introduced by 
the transitive closure satisfy the claim (IH). 
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Point ([HI) , " <^ " : New equalities required by the region in Item [T] are created by the copy 
instructions and the transitive closure. The other required equalities follow from IH. Note 
that aXu = 'xau = for all u € D and therefore the equality Cax — Cxa is not required. 

Items [2] - m do not move any two clocks together and therefore the claim holds from 

IH. n 

The following two lemmas formulate the essential properties of the construction we need 
for the proof of the correctness of the reduction. Because of these lemmas, we do not have 
to refer to < and max operations anymore. 

Lemma 5.2. For all reachable complete states {{q,D),C,^) of R, the following holds: 

(i) if D \= xyz then C^y + Cy^ < C^z, 

(ii) if X =D y then Cxy = and Cxu = Cyu, Cux = Cuy for all clocks u. 
(iii) if X ^DV then Cxy > l,Cyx > 1. 

Proof. Point ([!]) follows directly from Lemma [5. II and Step |3] in the definition of the semantics 
of extended R-automata. 

The first part of Point (ju]) follows from Item [T] in the construction of R and the fact that 
this counter can be changed only along a transition which leads to a state {{q' , D'), C', <'), 
where x ^d' U (follows straightforwardly from the construction). The second part follows 
from Lemma [5. II and an observation that counters equivalent with respect to < contain the 
same values. 

Point dm]) follows from a simple inductive argument. If x ^d y holds and it did not 
hold in the previous state then Cxy,Cyx is either updated by a copy from a counter with 
value greater than or equal to 1 (Item [1]) or by a copy or reset followed by an increment 
(Item [2]). Especially, Items [3] and U cannot be applied. If x ^d V holds and it held also in 
the previous state then Cxy,Cyx is either incremented (Items [3] and U]) or updated by a copy 
from a counter with value greater than or equal to 1 (Item[T]) or by a copy or reset followed 
by an increment (Items [2l [3l and 2]) . □ 

The property formalized in Point ^ of the previous lemma is the reason for extending the 
R-automata with the max operations. The preorder ^ is a technical construction thanks to 
which we are able to reduce limitedness for R-automata with max operations to limitedness 
of R-automata. 

Lemma [5.21 shows that max operations ensure a lower bound on counters. The following 
lemma shows that applications of the max operation do not increase the counters too much. 
In fact, it says that max operations can increase a counter at most by 1 in each complete 
step and this only if it has not been affected by other operations. 

Lemma 5.3. Let {{q',D'),C','^') and {{q,D),C,'^) be two consecutive complete states in a 
run of R. Only counters Cuv such that v <d u and v ^d can he affected by max operation. 
Moreover, if Cuv / C'^^ then Cuv = Cux + Cxv = C'^v + 1- 

Proof. We show that the first fixed-point iteration of taking maxima satisfies this claim. 
Then we show by contradiction that there are no more fixed-point iterations of taking 
maxima. 

To show the first step, we analyze all types of transitions. For Item [H the claim holds 
trivially. We show the claim in full detail for Item|3l Other items are analogical. 

The counters Cuv such that u <d v and u ^d (which implies that u,v ^ x) are not 
affected by the transition. They also form a downward closed set with respect to <, hence 
they are not updated by the max operation. 
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Counters Cxu are incremented along the transition. By induction on the number of 
clocks with different fractional part between x and n in D we show that these counters are not 
updated by the max operation. The basic step is trivial, because Cxu is a minimal element 
in <. For the induction step, let us look at the value of the expression max{Cxu, Cxw+Cwu}- 
From IH and the previous consideration we know that neither of the counters Cxw , Cwu has 
been updated by the max operation in this step. Therefore, Cxw = C'xui + ^ ^"^^ Cwu = C'^^. 
But since Cxu = C'^^ + 1 and from Lemma 15.21 we know that C^„ > C'^^ + C'^^, we have 
that max|Cxji, C^xw + Cwuf ^ Cxu- 

Counters Cux are set to C'^^ and then incremented along the transition. By induction 
on the number of clocks with different fractional part between u and d in D we show that 
these counters are not updated by the max operation. For the basic step, there are no 
clocks C such that C ^ Cud and Cxa = 1- Therefore, Cux = Cud + Cdx- For the induction 
step, let us look at the value of the expression max{C„x'i C'^^ + Cwx}- From IH and the 
previous consideration we know that neither of the counters Cuw,Cwx has been updated 
by the max operation in this step. Therefore, Cwx = C'^^ + 1 and Cuw = C'^^. But 
since Cux = C'^^ + 1 and from Lemma 15.21 we know that C^^ > C'^^ + C'^^, we have that 

maX^Uux: ^uw ~r ^wxf — ^ux- 

Therefore, the counters possibly affected by the first max application are Cuv such that 
V <£) u and v ^d (which implies that u, f ^ x). These counters are set to Cux + Cxv if 
Cux + Cxv > C*™ (other possible candidates for the max operation have not been modified 
along the transition). We know from Lemma 15.21 that C^j, > C^^ + C'^^ + C'^y, Cdx > 1 and 
from the construction we know that Cux = C'^^ + l,Cxv = C'^^ + 1. This gives us that if 
Cuv t^ Cy^y then Uuv = ^ui, + 1- 

Now we show that there are no additional iterations of the application of the max 
operation. Let us assume that Ceb is updated in the second iteration by Cec + Ccb- Without 
loss of generality, let us assume that Ccb was updated by the max operation in the first 
iteration (this also means that c, 6 7^ x). Note that the set of clocks updated by the max 
operation in the first iteration has the clock Cxa as a lower bound. Then we know that Cec 
was not updated by the max operation in the first iteration. Here we use the restriction 
on extended R-automata introduced at the beginning of this section. We also know that 
h <D e, e <D c, and c <d b. The rest of the argument applies to Item [2j The other items 
are analogical. 

We know that Cec = C'^^ (from the region and from the construction) and Ccb = 
C'cb ~^ ^ (from the previous argument). Also, C'^^^ > C'^^ + C^^ from Lemma 15. 2| which 
together with the assumption that Ceb was updated by the max operation means that 
Cg(, = Cg^ + C^^ (it follows from the region and from the construction that Ceb was not 
affected by any counter operations during this step). We know from the first iteration that 
Ccb = Ccx + Cxd = C[^ + C;, + 2 and C^, = C[^ + C'^^ + C7^„ where C'^^ = l. This means 
that C'^, = C'ec + C;, + C'^ + C;,. But then Cex = C^, + 1 = C^, + C'^, + 1, Cxb = C'^, + 1, 
and Ceb > Cex + Cxb = C'^fj + 1. Hence, Ceb has been updated by the max operation in 
the first iteration and it is equal to Cec + Ccb even before the second iteration, which is a 
contradiction. □ 

The previous lemma shows that we did not need the fixed-point calculation in the defi- 
nition of extended R-automata semantics. On the other hand, fixed-point calculations make 
these automata a more powerful tool with the same complexity of the limitedness prob- 
lem as R-automata with copying (which follows from Lemma l4.8p . Also, defining extended 
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R-automata with only one fixed-point iteration would make the proof of Lemma 15.11 more 
complicated. 

Correspondence between A' and R. Now we formulate correspondence properties be- 
tween the timed automaton A' and the extended R-automaton R constructed as above. Let 
us recall that we ignore A^ and M values of the counters and denote the P values by C. For 
instance, a state {{q,D),(N,M,P),<) is written as ((g, D), (7, <). Let for a state in a run 
of an extended R-automaton, the value of the state be the maximal counter value in this 
state (the P- value). Let for a run p of an extended R-automaton, the maximum counter 
value along this run be the maximal state value along this run. This is the value P{p), but 
to avoid confusion, we denote it by max{/>} here. 

Let us say that a valuation v ^ D satisfies the counter valuation C with the smallest 
step e (denoted by u |=e C) if for each pair of clocks x, y, xy^/e > Cxy (or equivalently, 
xy^ > C^y -e). 

Lemma 5.4. Let R be the extended R-automaton constructed from the region graph G 
induced by a timed automaton A. Let p = ((^O) {^oDj C'q,©) — > {{q,D), C, <) be a run in 
R ending in a complete state, a = {qo, {i^o}) — ^ {Q: D) be the corresponding path in G, and 
e ^ 1/(4 ■ maxjp}). For all z/ € -De such that u \=2e C there is a run p' in \A\^ ending in 
(g, v) such that p' \= a. Also, there is a i/ & D^ such that v \=2e C. 

Remark. This lemma requires that the valuations satisfy the counters with the smallest step 
2 • e. This enables us smooth time-pass transitions. If the value of a counter Cxy is 1 and we 
would allow the difference between fractional parts of x and y to be only e then we would 
not be able to reach a region where <d y <D x in the e-sampled semantics by letting the 
time pass. Another requirement is that each increment of a counter corresponds at most to 
e/4 in the sampled semantics. We need this to be able to place disjoint intervals between 
the fractional parts of the clock values next to each other within the unit interval. In other 
words, we need that 1 > {Gxy + Gyx) • 2e always holds for all clocks x and y. In the proof, 
we also use that 2 > {Guz + Czx + Cxu) ' 2e holds for all clocks x, u, z such that uxz, which 
follows from the previous constraints. 

Proof. By induction on the length of a. The basic step is trivial. 

For the induction step, let us first observe that the maximum counter value along p 
is greater than or equal to the maximum counter value along its prefixes. Let u ^ D^ and 
u \=2e C. We have to find v' € Z)^, u' \=2e C', where {{q', D'), C", <') is the previous complete 
state of p, such that z/ can be reached from z/' along the edge from {q',D') to {q,D). We 
discuss different types of this edge. 

Let us first look at the case where the edge leads to the immediate time successor. Let 
a; be a clock with the smallest fractional part in v. If <d x (or, equivalently, fr(z^(x)) > 0) 
then i^'^y) = i^{y) — fr(z^(x)) for all y ^ C. If =£> x (equivalently, fr(z^(x)) = 0) then 
!/'(?/) = ^{y) — € for all y G C. Because the minimal distance between two clocks with 
different fractional parts is 2 • e (follows from IH and Lemma l5.2p . z/' E D[ in both cases. 
Also, v' \=2e C', because G' = C (instructions on all counters are 0) and the differences 
between the clocks do not change. 

We discuss an edge along which a clock (denote x) is reset. Then we know that i^'(y) = 
z^(y) for all y ^ x. The case where x =£)/ clearly holds, because neither distances between 
the fractional parts of the clocks nor the counters change. For the other case, we discuss 



SAMPLED SEMANTICS OF TIMED AUTOMATA 29 



different types of the regions D, D' corresponding to the cases in the construction of R 
separately. Let i be the integral part of the clock x in D' . If there is a clock z such that 
Hcz^' = then i^'ix) = i + fr(z^(2;)). 

Otherwise, there is a clock with a different fractional part than x in D' , because \C\ > 2. 
If there is a clock with a smaller fractional part than x in D' then let b denote a clock with 
the greatest fractional part smaller than the fractional part of x. We place x at the greatest 
distance from b to the right enforced by some clock z and the counter Czx- 

v'{x) = i + max{fr(z^(z) + C^^ • 2e) | Vz G C.(z = 6) V (zb^: < C'^^ ■ 2e)} 

If X has the smallest fractional part in D' (the third case in this proof) then let b denote a 
clock with the smallest fractional part greater than the fractional part of x. We place x at 
the greatest distance from b to the left enforced by some clock z and the counter Cxz'- 

u'{x) = i + mm{fr{iy{z) - C'^^ ■ 2e) | Vz G C} 

Here we do not need the additional condition on clocks z, because they all have the fractional 
part greater than or equal to the fractional part of b. The construction of the valuation v' 
for X is depicted in Figure [141 



CL ■ 2e 



x' 



Figure 14: Illustration of the calculation of the value of x in the valuation u' . The positions 
of the clocks correspond to the valuation z^, where v{x) = (x was reset), ^{a) = 
0.12,2^(6) = 0.24, i/((i) = 0.76. The values of the counters are Cax = 10, C^a; = 
3, Cdx = 17. The sampling rate is e = 0.02 and thus Cax ■ e = 0.4, C^x ■ e = 
Q.12, Cax ■ e = 0.68. Then v'{x), depicted by x', is max{0.52, 0.36, 0.44} = 0.52. 

As the first case we consider regions D' which have a clock a with zero fractional part (Item[T] 
in the construction, depicted in Figure [9|). We denote a clock with the greatest fractional 
part smaller than the fractional part of x by 6 (there is always one such clock, since b could 
be the clock a). If it exists, then we also denote a clock with the smallest fractional part 
greater than the fractional part of x by c. 

We have to show that v' G D[ and that v' \=2t C' . First we show that v' G D[. If 
there is a clock y such that x =£,/ y then clearly v' ^ D[. Otherwise, we have to show that 
b <£)' X and if c exists then also that x <£>' c. To show that b <£)/ x, we need to show 
that fr(z/(6)) + C^^ • 2e < 1 and then the rest follows from the construction of ly'. Since 
Cba = C'^a > C'fei, + C'^a ^^^ ^'xa ^ 1 (Lemma 15. 2p , we have that Cha > C^^ and from the 
fact that v \=2e C we have that foojy > C^^ • 2e and thus fr(i/(6)) + C^^ • 2e < 1. To show 
that X <D' c, we discuss the following two cases. Let us denote the clock chosen by the max 
function in the construction of the value v'{x) by z. 

• If the clock z has the same fractional part as c in D' then the claim follows from the 
condition zb,,i < C' ■ 2e in the construction of u' and the observation that C' • 2e < 1. 
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• Otherwise, we have that Czc = C'^^ > C'^^ + C'^^ and C^^ > 1 (Lemma l5.2p . thus Czc > C'zx- 
From the fact that z/ \=2e C and from the construction of u' we have that 'zc^i > C'^^ ■ 2e 
and YXyi = C'^^ ■ 2e, which gives that zCj^/ > YXyi . This is a sufficient condition in case 
that z <£ii c. Otherwise, we need to show that x <£>' z, which is shown in the previous 
item. 

Now we show that v' \=2t C'. If there is a clock y such that x =£)/ y then the fact that 
u' \=2e C' foUows directly from Lemma 15.21 Otherwise, we have to check all the counters. 
For all counters C^^ such that u,v ^ x, C'^^ = Cuv and from the construction of v\ 
uvyi > C^j, • 2e. For counters C'^^^ (for all clocks n), the fact that ux^i > C^^ • 2e follows 
directly from the construction of ly' (and from the fact that b <£>! x for the clocks which do 
not satisfy the condition in the construction of u'). For the counters C^„ we consider two 
cases. Let us denote the clock chosen by the max function in the construction of the value 
u'^x) by z. 

• If the clock z does not have the same fractional part as u in D' then we have again two 
possibilities. 

— If D' \= xuz then we have that Czu = C^^ > C'^^ + C^^ (Lemma 15. 2p . From the 
fact that I' \=2e C and from the construction of z^' we have that ^u^/ > C'^^ ■ 2e and 
zxjy/ = C'^^ ■ 2e, therefore xu,yi = 'zUyi — 'zxyi > C'^^ ■ 2e. 

— If D' 1= "xzu then we have that xu^' > TZyi . From the construction of v' we have that 
'xzyi = 1 — (C^j. ■ 2e) and from the condition on e we have that 1 > 2 ■ maxjC^j., C'^^} ■ 2e. 
This together gives that 'xzu' ^ {C'xu " 2e). 

• If the clock z has the same fractional part as u in D' then it suffices to observe that 
C'xu + C^ux — 2 ■ max{p} and thus 1 > (C^„ + C'y^^) ■ 2e. From the construction of z/' we 
have that xu^' = 1 — {C^^ ■ 2e) and thus xu,^' > C^^ • 2e. 

As the second case we consider regions D' such that <d' a <£>/ x <£>> d (Item [T] in 
the construction, depicted in Figure [S]). The argument for this case is the same as for the 
first case, with the only difference that we use the counters Cb^^, Cxd instead of the counters 
Cbai Cxa when showing that b <£>/ x. 

As the third case we consider regions D' where x has strictly smaller fractional part 
than other clocks (Item [3] in the construction, depicted in Figure [TT]). We denote a clock 
with the smallest fractional part greater than the fractional part of x by a (there is always 
one such clock, since \C\ > 2). 

We have to show that v' S D'^ and that i/' \=2e C' . First we show that v' € D'^. We 
have to show that (fr(z^(2:)) — C'^z ■ 2e) > for all clocks z and that x <d' ol. The first part 
follows from the fact that Iczy > Cxz ■ 2e, v{z) = i^'{z), and C'^z < Cxz- At this place, we 
use the fact that the value of Cxz is incremented along these transitions in the extended 
R-automaton construction. The second fact follows from the first one and from the fact that 
C4„ > 1 (Lemma El). 

Now we show that z^' \=2e C. The argument is 'dual' to the argument for the first 
case. For all counters C^^ such that u,v ^ x, C^j, < Cuv and from the construction of v', 
uvv' > C'^v ' 2^- -^o^ counters C^.„ (for all clocks n), the fact that xu^i > C'^^ ■ 2e follows 
directly from the construction of v' . For the counters C'^r,. we consider two cases. Let us 
denote the clock chosen by the min function in the construction of the value v'[x) by z. 

(1) If the clock z does not have the same fractional part as u in D' then we have again two 
possibilities. 
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(a) If D' \= Tzu then we have that Cuz = C^^ > C^a; + C^.^ (Lemma I5.2p . From the 
fact that u \=2e C and from the construction of i^' we have that uz^' > C'^^ ■ 2e and 
Hcz,^' = C^2 • 2e, therefore ux,^! = uZyi — TZyi > C'^^ ■ It. 

(b) If D' \= xuz then we have that ux^/ > IXi,/. From the construction of v' we 
have that YXyi = 1 — (C^.^ • 2e) and from the condition on e we have that 1 > 
2 • maxjC^.^, C^^^} • 2e. This together gives that 'zXyi > {C^^ ■ 2e). 

(2) If the clock z has the same fractional part as u in D' then it suffices to observe that 

^xu + ^ux — 2 ■ iiiax{p} and thus 1 > (C^„ + C'^^) ■ 2e. From the construction of v' we 

have that ux^' = 1 — {C'xu ' 2e) and thus ux^' > C'^^ ■ 2e. 
As the fourth case we consider regions D' where x has strictly greater fractional part than 
other clocks (Item [3] in the construction, depicted in Figure [TTj) . We denote a clock with 
the greatest fractional part smaller than the fractional part of x in D' by d (there is always 
one such clock, since \C\ > 2). The correctness argument is 'dual' to the argument from the 
third case. 

We have to show that z^' G D[ and that i/' \=2e C' . First we show that v' € D[. We 
have to show that (fr(z^(z)) + C'^^ ■ 2e) < 1 for all clocks z and that d <£)/ x. The first part 
follows from the fact that zxjy > Czx • 2e, I'^z) = ^'{z), and C^^. < Czx- At this place, we 
use the fact that the value of Czx is incremented along these transitions in the extended 
R-automaton construction. The second fact follows from the first one and from the fact that 
C^^ > 1 (Lemma [O]). 

Now we have to show that v' \=2e C' . The argument is the same as the argument for 
the first case, with the difference that for the counters C'^^ such that u,v ^ x^ we have that 

r" < c 

It remains to show that there is a valuation i^ € D^ such that u \=2e C. We construct v 
in the following way. Let the integral parts of all clocks correspond to D. Let a be a clock 
with the smallest fractional part in D. If a =£> then fr(i/(a)) = 0, otherwise, fr(i^(a)) = e. 
For all other clocks 6, let fr(i/(6)) = Cab ■ 2e. Correctness of this assignment (for all b, 
Cab • 2e < 1 — e) follows from the condition on e. 

We need to show that v ^ D^ and that v \=2e C- The former follows directly from 
Lemma 15.21 and the latter from the following consideration. For all clocks c <d d, cdu > 
Ccd • 2e, because of the fact that Cac + C^d ^ Cad (Lemma 15. 2|) and dcy > Cdc ■ 2e, because 
dcy > 1 — [Cad ■ 2e) and 1 > [Cad + Cdc) ■ 2e. We also know that bai, > Cba • 2e for all clocks 
b, because e < 1/(4 • max{p}). □ 

We also prove that the maximum counter value of a path constrains e from above. 

Lemma 5.5. Let R be the extended R-automaton constructed from the region graph G 
induced by a timed automaton A. Let p = ((^O; {^o})) C'o, 0) — > {{q,D), C, <) be a run in 
R, a = (go, {z^o}) — ^ (Qt^) ^6 ^^6 corresponding path in G and p' = {qo^vo) — >e {QjI^) be 
a run in {AJ^ for some e such that p' \= a. Then for all pairs of clocks x, y, Icy^, > Cxy ■ £■ 

Proof. By induction on the length of a. The basic step is trivial. For the induction step, we 
show that if the runs of R and A end in the states {{q\ D'), C', <') and {q', v')^ respectively, 
satisfying the condition, i.e., for all pairs of clocks j;, y, Ty^ > Cxy ■ e, then the condition is 
also satisfied after transitions leading to the next (complete) states ((g, D), C, <) and ((7, v). 
We discuss the types of transitions. 

We first discuss the case where the edge leads to the immediate time successor. The 
condition is clearly satisfied, because neither the differences between the clocks nor the 
counter values change after a time transition. 
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We discuss an edge along which a clock (denote x) is reset. The case where h{i''{x)) = 
(x has zero fractional part in D', x =d' 0) clearly keeps the condition satisfied, because 
neither the differences between the clocks nor the counter values change after reset of x. For 
the other case, we discuss several different types of the regions D,D' . 

As the first case we consider the situation where the region D' has a clock a with 
zero fractional part (depicted in Figure [9l Item [1] in the construction). For the clocks u,v 
different from the clock x, the distances between the fractional parts do not change and 
Cuv = C'^y,Cyu = C'y^. For each clock u, C^u = C'^^, Cux = C^^, hence the condition is 
satisfied from IH. 

As the second case we consider the situation where Item [2] in the construction applies. 
There, the region D' has clocks a, d such that the fractional part of the clock a is smaller 
than or equal to the fractional part of x and the fractional part of the clock d is greater 
than or equal to the fractional part of x (depicted in Figure [T0|). We denote a clock with the 
greatest fractional part smaller than the fractional part of x by 6 (there is always one such 
clock, since b could be the clock a). We also denote a clock with the smallest fractional part 
greater than or equal to the fractional part of x by c (there is always one such clock, since 
b could be the clock d). 

First, we look at the distances xa, dx, da. We have that Cxa = Cdx = li but already from 
the region we know that xEu > e, dxi, > e. Lemma 15.21 gives us that C^a = i^&x{C^^, Cxa + 
Cdx = 2}, so the condition either holds from IH (C^^ > 2) or because xUi^ > 2 • e (from the 
region). 

For the distances between the clocks a and d (avoiding x in D), neither distances nor 
the counter values change. 

For the distances between the clocks c and b different from x such that b <d c (alter- 
natively, fr(i/(6)) < fr(z/(c))) we have to analyze the counters carefully. (This is the case 
where we pass through x in D when going from c to b; in the following argumentation 
we assume that c is different from a and b is different from d, but it is easy to see that 
the same arguments, even a bit simplified, would work if this assumption does not hold.) 
If Ccb = C'^fj then the validity of the condition holds from IH. If Ccb > C'^ then from 
Lemma [5.31 we know that Ccb = Ccx + Cxb = C^ft + 1- From the construction, Ccx = C'^^ + 1 
and Cxb = C'^f^ + 1. From Lemma [52] we have that C^^ > 1 and C^^ > C^^ + C'^^ + C^f,. 
Then C'^f, = C'^ + C^„ + C'^^ and C'^^ = I. From this it follows that Ccb = C'^^ + 2 + C'^^. 
We also have that cbn = cdi, + day + aby. From IH we know that cd^ = cd^i > C'^^ ■ e, 
aby = abyi > C^^ ■ e, from the region we have that day > 2 • e. Together, cby > Ccb ■ £■ 

Now we look at the distances between x and other clocks in the region denoted b such 
that a <D b. Directly from the construction of R we have that Cxb = 1 + Cab = 1 + C'^^. 
From IH we know that aby = abyi > C^^ • e, from the region we have that HccLy > e. Since 
xby = xdy + aby, all together gives that xby > C^b ■ £■ 

It remains to check the distances between clocks b such that b <d d and x. This case is 
symmetrical to the previous case. 

As the third case we consider the situation where Item [3] in the construction applies. 
There, x has strictly smaller fractional part than other clocks in the region (depicted in 
Figure [TT|) . We denote a clock with the smallest fractional part greater than the fractional 
part of X by o (there is always one such clock, since \C\ > 2). We also denote a clock with 
the greatest fractional part in D' by d (there is always one such clock, since it could also be 
a). 
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First, we look at the distances between x and other clocks in the region, denoted b. 
From the construction we have that Cxb = C^^ + -*■• From IH we know that xb^' > C'^^ ■ e, 
from the region we have that xbi, > xbyi + e. Together, xb^ > Cxb ' £• 

Now we check the distances between clocks in the region denoted by b and x. Cdx = Ij 
but already from the region we know that dx^ > £• For the other clocks we have directly from 
the construction of i? that C^x = C'fed+l = C'^^^-\-l. From IH we know that bdi, = bd^i > Cfed-e, 
from the region we have that da^ > e. Since bx^ = bd^ + dx^, all together gives that 
bxu > Cbx ■ e- 

For the distances between the clocks c and b different from x such that b <d c (alter- 
natively, fr(i/(6)) < fr(z^(c))) we have to analyze the counters carefully. (In the following 
argumentation we assume that c is different from a and b is different from d, but it is easy to 
see that the same arguments, even a bit simplified, would work if this assumption does not 
hold.) If Ccb = C'cb then the validity of the condition holds from IH. If C^b > C'^f^ then we 
know from Lemma [5. 31 that Ccb = Ccx-^Cxb = C^^+l. From the construction, Ccx = C'^^ + 1 
and Cxb = C^f, + 1. From Lemma [S^] we have that C^^ > C'^^ + C^^ + C^^ and that C'^^>1. 
Then C'^^ = C'^^ C'^^ + C^fe_and C^. = 1. From this it follows tjiat Ccb_= C'^d + '^ + C'xb- We 
also have that cbi, = cdi, + dxy + xb^- From IH we know that cdi, = cdyi > C'^^ • e, we have 
shown that xby > {C^^ + 1) • e, from the region we have that dxy > e. Together, cb^, > Ccb ' £• 

For the distances between the clocks a and d (avoiding x in D,D'), neither distances 
nor the counter values change. 

As the fourth case we consider the situation where Item [4] in the construction applies. 
This case is dual to the third case. □ 



6. Decidability Proof 

First we show that Theorem 13.11 is true for timed automata with one clock. 

Lemma 6.1. For a given timed automaton A with the set of clocks C such that \C\ = 1, 
Li/2{A) = L{A) and L'^/^iA) = L'^{A). 

Proof. Let us denote the clock by x. For each run over w in [[^]]ir>o, we construct a run 
in [[^Ji/2 as follows. We modify the time delays so that all discrete transitions taken with 
int(x) = i and fr(x) ^ are now taken with int(x) = i and fr(x) = 1/2. Clearly, there is 
such a run in [[^]]ir>o, because for all i € N, all valuations with int(x) = i and fr(x) 7^ are 
untimed bisimilar. Such a run is also a run in [[^]i/2- D 

For the other cases, we first show how to transform a given timed automaton into a timed 
automaton which resets at most one clock along each transition and which is equivalent with 
respect to the sampling problem. For each discrete transition labeled by a with a guard g 
and reset y C C, we create a sequence of \C\ transitions (and \C\ — 1 auxiliary non-accepting 
states between them) labeled by a. These transitions reset clocks from Y one by one. If 
y ^ then let us denote the first reset clock by x. The first transition is guarded by g and 
the guards on the other transitions are either 51 if [y| = or x = otherwise. 

Lemma 6.2. For a given timed automaton A with the set of clocks C, the timed automaton 
A' with at most one reset along each transition constructed as above is equivalent to A with 
respect to the sampling problem. 
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Proof. Let /i(S* — > S*) be a homomorphism with respect to the word concatenation defined 
by h{a) = a'^', a G S. Clearly, w € L{A) if and only if h{'w) G L{A'). For a run p over w in 
[[^|]R>g, we can construct a run p over h^w) in |^'|r>o using the same time delays as p by 
taking no delays in the auxiliary states. For a run p over h{w) in [[^']]r>o, we can construct 
a run p over w in [[^]]ir>o using the delays which are sums of the time delays from p by 
adding up all delays from the auxiliary states. Observe that when at least one clock is reset 
along a transition in A then the delays in the corresponding auxiliary states are zero. □ 

The next lemma shows how to remove the transitions labeled by S in the extended 
R-automaton R constructed in Section \E\ We use the same algorithm as is used for re- 

. . . p . TH 1 r • • 5,(0,. ..,0) 5,(0,. ..,0) 

movmg e-transitions m hnite automata, bach sequence of transitions si — > . . . — > 

Sk-i ' — -> " Sk is replaced by the transition si ' -^—^ " Sk- Clearly, this construction 
results in an extended R-automaton. Let for a word w and an extended R-automaton it!, 
cr{w) = in.m{B\w G Lb{R)} (where min{} = lo). Let w \ S for tt; G (S U {d})* denote the 
projection of w to S* (we skip all letters 5). Let w\J w' denote shuffle of the two words. 

Lemma 6.3. Let R he an extended R-automaton constructed in Section\^ and R' he the 
extended R-automaton constructed as ahove. Then for each w G L{R') there is k € N 
and w' G w\/ 6^ such that w' G L{R) and cri{w) = Cji{w'). Also, for each w G L{R), 
w \ 5 ^ L(R') and cjii{w \ 6) < c/j(w). 

Proof The proof follows directly from the fact that the effect (0, . . . , 0) does not change the 
counter values and the preorder <. □ 

Let hhe a homomorphism which triples each letter in the word, i.e., h{a) = aaa for all 
a G S. Now we have all tools to prove the main theorem. 

Proof of Theorem \3.1\ First, we show the claim for finite words - decidability of the sampling 
problem. Lemma [6. 2 1 allows us to consider only timed automata with at most one reset along 
each transition. For such a timed automaton A, we construct an extended R-automaton R 
as described in Section [5] and an extended R-automaton R' as described above. According 
to Lemma [4. H it is decidable whether the language of an extended R-automaton is limited. 

If the language of R' is limited by a natural number B then let e = 1/(4 • B). For each 
(untimed) word w G L[A) there is a run of R' which accepts h{w) with counters bounded 
by B. From Lemma 16.31 we know that there is a number k and a word w' G h{w) V S'^ 
such that w' is accepted by R with counters bounded by B. Having an accepting run of R, 
Lemma 15.41 says that A accepts w in e-sampled semantics (it accepts a timed word whose 
untimed version is w). 

Assume that the language of R' is not limited. For each e = 1/B where B is a. natural 
number we find a word h{w) such that some counter Cxy exceeds B along each accepting 
run of R' . From Lemma 16.31 we know that for all k and for all w' G h{w) V 5^ , there is no 
accepting run of R over w' with counters bounded by B. According to Lemma [5.51 there is 
no accepting run of A over w in e-sampled semantics, because it would have to visit a state 
(g, v) with Icyy > B ■ e = 1. 

The following shows decidability of the w-sampling problem. The cj-limitedness problem 
is decidable for extended R-automata over cj-words with Biichi acceptance conditions. It 
has been show that Ci;- universality is decidable for R-automata in |AKY08J . In the same way 
as for the finite words case, we can use this result to show that w-limitedness is decidable for 
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R-automata. Then the decidability of cu-Umitedness for extended R-automata follows from 
Lemmas WM K7\ andHTHl 

If the extended R-automaton R constructed from a given timed automaton A is w- 
limited then we show that A can be w-sampled as follows. From the finite word case we 
know that there is an e such that each (finite) prefix of a tt; € L^{R) has a corresponding 
concrete run of A in e-sampled semantics. We show how to construct all prefixes of an 
infinite accepting concrete run of A over w in e-sampled semantics. The basic idea behind 
this construction is that each e gives us an equivalence relation on valuations with finite index 
(defined formally below). This means that there are only finitely many possible transitions 
from each state. Therefore, we have an infinite tree induced by the runs over prefixes which 
is finitely branching. According to Konig's Lemma, this tree has an infinite branch. 

Now we formalize the previous intuition. Let B he a. natural number such that L^{R) = 
L^{R). Let p be an accepting run over w € S'^ with max{p} < B and let e = 1/(4 • B). Let 
us denote by H the set of concrete runs of A along all prefixes of p given by Lemma 15.41 

First, we define an equivalence relation ~x on clock valuations by z/ ~x ^' if for all 
clocks X, i^(x) 7^ i^'{x) implies I'ix) > K and y'{x) > K. Let K be the greatest constant 
which appears \n A. It is easy to see that for each e, ^k has a finite index on the set of 
valuations {z/|Vj; € C3fc E N.z^(x) = k ■ e}. Also, ^k'Z.—k- 

We construct the prefixes inductively. We assume that we can build a prefix of length j 
ending in a state (g, u) such that there is an infinite subset of H containing only runs whose 
j'-th state is {q,i'') for some z^' ^k '^- The run of length is just the initial state {qo,'^o) 
(which is a prefix of all runs in H). To build the prefix of length j ' + 1, we need to extend the 
prefix of length j. We have infinitely many runs whose j'-th state is {q, v') for some v' ^k v- 
We pick an infinite subset of these runs such that the valuations in their j + 1-st states are 
equivalent with respect to '^k- There is always such an infinite subset, because ^k bas 
a finite index in e-sampled semantics. We pick a state (g', v') such that it can be reached 
from (g, v) and it is equivalent with respect to ~/f to the states in the infinite subset as the 
i + 1-st state. Clearly, there is such a state. 

For the other direction, let us assume that for each B there is wb G S"^ such that 
wb ^ L'^{R). We show that A cannot be a;-sampled. For each e we pick B = 1/e. There is 
a counter Cxy which exceeds B in each accepting run of R over wb ■ From Lemma 15. 5| each 
accepting run of A over wb requires Hcy^^ > B ■ e = I'vn some state (g, v) along this run. But 
from the definition, xy^, is always strictly smaller than 1. □ 

Note that if a timed automaton can be sampled then one can also compute a sampling 
rate e. First, it is possible to determine a limit B for the extended R-automaton R' con- 
structed according to Section [5] such that Lb{R') = L{R') or L^{R') = L'^(R'). If we know 
that the language of R' is limited then this can be done by checking the language equality 
systematically for all values of B. Having a value for B, we set e to be equal to 1/(4 ■ B). 
One can also compute a value for B directly from the parameters of R', which is shown 
in |AKY08) . 

7. Conclusions 

Timed automata with dense time semantics can enforce behaviors, where time distances 
between events monotonically grow while being bounded by some integer. We have formu- 
lated a property distinguishing timed automata which do not use this ability: the untimed 
language of an automaton in question can be accepted in a semantics where all time delays 
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are multiples of a fixed rational number. These automata preserve all qualitative behaviors 
(untimed words) when implemented on a platform with a fixed sampling rate. We have 
also shown that it is decidable whether a timed automaton enjoys this property. The proof 
characterizes the time differences enforced along runs by a new type of counter automata - 
Extended R- automata. As a technical contribution of its own interest, we have shown that 
limitedness is decidable for these automata. 

In spite of this positive outcome, our results show a high degree of complexity present 
in dense time behaviors enforced by strict inequalities. Therefore, when we require from our 
model that it can be turned into a sampled implementation, we have to consider usage of 
strict inequalities with a great care. It is questionable whether the modeling advantages of 
strict inequalities outweigh the costs of sampling analysis. 

Acknowledgements 

We would like to thank Radek Pelanek for fruitful discussions and anonymous reviewers 
for their constructive comments. 



References 

[AD94] R. Alur and D. L. Dill. A theory of timed automata. Theoretical Computer Science, 126(2):183- 

235, 1994. 
[AKY08] P. A. AbduUa, P. Krcal, and W. Yi. R-automata. In Proc. of CONCUR'08, volume 5201 of 

LNCS, pages 67-81. Springer- Verlag, 2008. 
[AMP98] E. Asarin, O. Maler, and A. Pnueli. On discretization of delays in timed automata and digital 

circuits. In Proc. of CONCUR'98, volume 1466 of LNCS, pages 470-484. Springer- Verlag, 1998. 
[AT05] K. Altisen and S. Tripakis. Implementation of timed automata: An issue of semantics or mod- 

eling? In Proc. of FORMATS'05, volume 3829 of LNCS, pages 273-288. Springer- Verlag, 2005. 
[BC06] M. Bojanczyk and T. Colcombet. Bounds in omega-regularity. In Proc. of LICS'06, pages 285- 

296. IEEE Computer Society Press, 2006. 
[CHR02] F. Cassez, T. A. Henzinger, and J.-F. Raskin. A comparison of control problems for timed and 

hybrid systems. In Proc. of HSCC'02, volume 2289 of LNCS, pages 134-148. Springer- Verlag, 

2002. 
[CL08a] T. Colcombet and C. Loding. The nesting-depth of disjunctive /i-calculus for tree languages and 

the limitedness problem. In Proc. of CSL'08, volume 5213 of LNCS, pages 416-430. Springer- 

Verlag, 2008. 
[CL08b] T. Colcombet and C. Loding. The non-deterministic Mostowski hierarchy and distance-parity 

automata. In Proc. of ICALP'OS, volume 5126 of LNCS, pages 398-409. Springer- Verlag, 2008. 
[GPV94] A. GoUii, A. Puri, and P. Varaiya. Discretization of timed automata. In Proc. of CDC'94, pages 

957-958, 1994. 
[Has82] K. Hashiguchi. Limitedness theorem on finite automata with distance functions. Computer and 

System Sciences, 24(2):233-244, 1982. 
[Has90] K. Hashiguchi. Improved limitedness theorems on finite automata with distance functions. The- 

oretical Computer Science, 72(l):27-38, 1990. 
[HMP92] T. A. Henzinger, Z. Manna, and A. Pnueh. What good are digital clocks? In Proc. of ICALP'92, 

volume 623 of LNCS, pages 545-558. Springer- Verlag, 1992. 
[Kir05] D. Kirsten. Distance desert automata and the star height problem. Informatique Theorique et 

Applications, 39(3):455-509, 2005. 
[KMTY04] P. Krcal, L. Mokrushin, P. S. Thiagarajan, and W. Yi. Timed vs. time triggered automata. In 

Proc. of CONCUR'04, volume 3170 of LNCS, pages 340-354. Springer- Verlag, 2004. 
[KP05] P. Krcal and R. Pelanek. On sampled semantics of timed systems. In Proc. of FSTTCS'05, 

volume 3821 of LNCS, pages 310-321. Springer- Verlag, 2005. 



SAMPLED SEMANTICS OF TIMED AUTOMATA 37 



[Leu91] H. Leung. Liinitedness theorem on finite automata with distance functions: an algebraic proof. 

Theoretical Computer Science, 81(1):137-145, 1991. 

[OW03a] J. Ouaknine and J. WorrelL Revisiting digitization, robustness, and decidability for timed au- 
tomata. In Proc. of LICS'03, pages 198-207. IEEE Computer Society Press, 2003. 

[OW03b] J. Ouaknine and J. Worrell. Universality and language inclusion for open and closed timed 
automata. In Proc. of HSCC'03, volume 2623 of LNCS, pages 375-388. Springer- Verlag, 2003. 

[Sim94] I. Simon. On semigroups of matrices over the tropical semiring. Informatique Theorique et Ap- 
plications, 28(3-4) :277-294, 1994. 

[WDR04] M. De Wulf, L. Doyen, and J.-F. Raskin. Almost ASAP semantics: From timed models to timed 
implementations. In Proc. of HSCC'04, volume 2993 of LNCS, pages 296-310. Springer- Verlag, 
2004. 



This work is licensed under the Creative Commons Attribution-NoDerivs License. To view 
a copy of this license, visit http://creativecommons.0rg/iicenses/by-nd/2.o/ or send a 
letter to Creative Commons, 171 Second St, Suite 300, San Francisco, CA 94105, USA, or 
Eisenacher Strasse 2, 10777 Berlin, Germany 



